PRIVACY NOTICE

This Privacy Notice is effective as of 22^nd May 2025

Welcome to our Privacy Notice page. We aim to provide clarity and assurance to User regarding how we collect, use, and protect User’s Personal Data and information. By reading Privacy Notice below, we hope User feel secure and reassured that the security of User’s Personal Data and privacy is our utmost priority.

The use of the terms in Privacy Notice below is as follows:

1. “We” or “the Company” refers to PT BNI Sekuritas, a subsidiary of PT Bank Negara Indonesia (Persero) Tbk, engaging in the capital market sector (“BNI Sekuritas”).
2. “User” refers to each individual owner of Personal Data (data subject) who has utilized and/or will utilized our products and/or services, visitors and User of our websites/applications/electronic systems, as well as any third party to whom this Privacy Notice applies.
3. “Business Group” refers to all affiliated companies under the same group due to direct or indirect ownership and/or control by the Company (relation between parent company, Company’s subsidiaries, and other affiliates).
4. “Personal Data” refers to any data relating to the User that is identified or identifiable; independently or in combination with other information, whether directly or indirectly through electronic or non-electronic systems as defined by the Prevailing Regulations.
5. “Prevailing Regulations” refers to Law No. 27 of 2022 on Personal Data Protection and any other relevant and prevailing laws and regulations, including their amendments from time to time.
6. “Processing” refers to any activity of obtaining, collecting, filtering, analyzing, storing, rectifying, updating, displaying, announcing, transferring, disseminating, disclosing, erasure, and/or destroying User's Personal Data.

The Personal Data we process consists of Personal Data provided and will be provided to us by User, including Personal Data as described in the Acquisition and Collection of Personal Data section herein for the purpose of providing the Company’s products and/or services as requested by User, including for the fulfillment of our agreement or legal obligations under laws and regulations, at the time User visits, accesses, and/or utilizes the Company’s products and/or services, including our websites/applications/electronic systems (“Services”).

SCOPE OF APPLICATION

By utilizing our Services, the User declares that he/she has read, known, and understood the entire contents of this Privacy Notice, and also declares that User is legal and authorized party to provide User’s Personal Data to the Company through the Company’s Services channels.

We may amend, eliminate, and/or update this Privacy Notice from time to time as necessary. If such amendments, erasure, and/or updates are information changes that require User to be notified pursuant to the Prevailing Regulations, we will perform reasonable efforts to notify User beforehand through our official communication channels. We recommend that User read the following Privacy Notice in conjunction with our Terms and Conditions of Service, as they may contain specific information relating to the Services, including how the Company processes User’s Personal Data.

The version of the Privacy Notice displayed on our websites/applications/electronic systems constitutes the latest update and supersedes all our previous versions. Therefore, we encourage User to regularly review this Privacy Notice on our websites/applications/electronic systems.

ACQUISITION AND COLLECTION OF PERSONAL DATA

It is important for User to understand the categories and types of User’s Personal Data that may be processed. These types of data include:

1. Personal Profile Identification Data, which can be full name, National Identification Number, Taxpayer Identification Number, gender, nationality, place and date of birth, mother’s maiden name, religion, voice recordings, image recordings, photographs, signature form (wet ink and/or electronic), and/or biometric data;
2. Correspondence Data, which can be the address as per the Identity Card, address and domicile status, email address, phone/mobile number, and emergency contact information including name, relationship to the User, address, phone/mobile number, and email;
3. Education and/or Employment Data, which can be education level, job type, business field, position, division, year of employment/business commencement, name of the employer/organization, workplace address, employment status, as well as the name, position, and phone number of coworkers;
4. Family Data, which can be marital status, spouse’s name, number of children, and number of dependents;
5. Financial Data, which can be account number, source of income, monthly/annual income, monthly/annual expenses, transaction data, credit/financing data, investment-related data, asset-related data, collateral-related data, taxation data, and service data from other financial services that the User receives;
6. Digital Activity Data, which can be geolocation, IP/MAC address, User’s activity within the Company’s applications, interactions between the Company’s applications and other applications in the User’s electronic devices, type of mobile device used, unique ID of the User’s mobile device, operating system of the User’s mobile device, type of mobile browser used, device unit identifier, and other diagnostic data; and/or
7. Personal-related Data, which can be health data, law violations, communication preferences, hobbies, and interests.

TRACKING & COOKIE DATA

We use cookies and similar tracking technologies to monitor activities in our Services and to store certain information. Cookie is a file with small amounts of data, that may include anonymous unique identifier. Cookies are sent to the User’s browser from a website and are stored in the User’s device. Tracking technologies that also used are sounds, tags, and scripts to collect and track information, as well as to enhance and analyze our Services.

Browsers may be set to reject all cookies or notify when a cookie is being sent. However, if cookies are not accepted, some parts of the Services might be inaccessible.

Kind of cookies that we use:

• Session Cookies: We use session cookies to operate our Services.
• Preference Cookies: We use preference cookies to remember User’s preferences and various settings.
• Security Cookies: We use security cookies for security purposes.

SOURCES OF USER’S PERSONAL DATA

To support us in providing optimal services to User, we will collect User’s Personal Data from various sources, including the following:

1. Directly from the User;
2. Information about the User generated when the User requests a service, utilizes our services, or has utilized our services formerly;
3. Personal Data from Business Group and/or other third parties that are partners of the Company or have a collaboration with the Company;
4. Cookies, location services, IP addresses of the User when the User visits our websites/applications/electronic systems, or when the User fills out our contact form in our websites/applications/electronic systems, or authorized data by the User to be accessed via User’s electronic device;
5. From correspondence between the User and the Company via email, physical mail, or other official communication channels/media of the Company; and/or
6. From survey data provided to the Company.

USE OF PERSONAL DATA

The processing of User’s Personal Data by the Company is carried out for the following purposes:

1. To provide, design, and/or develop the Company’s services, facilities, products or offers, including assisting the Company in analyzing how its services are utilized, responding to inquiries, or notifying User of any changes to the services;
2. For whether profiling or scoring activities in support of User automated decision-making to enhance service quality to User or risk management of the Company;
3. For marketing purposes, which are offering products or services, including special offers, promotions, contests or potentially compelling information to User. Such marketing purposes may be delivered to User by the Company and/or its Business Partners through various channels including via physical mail, email, short message services (SMS), telephone, fax, Company’s official correspondence tools and any other official communication media, subject to and in compliance with the prevailing laws and regulations;
4. For the Company’s business operational purposes involving consultations with the Company’s professional advisors or external auditors, including legal advisor, financial advisor, and consultants, Business Group, and any parties bound by confidentiality obligations with the Company. In this regard, the Company will make best efforts to ensure that above-mentioned parties comply with this Privacy Notice;
5. To fulfill the requirements of Know Your Customer (KYC) principals, Company’s risk mitigation effort, or implementation of verification/authentication of the User data accuracy, as required under prevailing laws and regulations;
6. To comply with legal or regulatory requirements, including the administration of the Company’s business activities, reporting to regulators, or audits by authorized parties, conducted in accordance with the prevailing laws of Indonesia;
7. To conduct research and statistical analysis, including the implementation of new technologies; and
8. For other purposes aligned with the Company’s internal policies and procedures, or as described in the terms and conditions governing the relationship between the Company and the User, carried out in compliance with prevailing laws and regulations.

BASIS FOR PERSONAL DATA PROCESSING

The Company shall only process Personal Data to the extent that the Company has fulfilled one or more of the following processing bases:

1. The Company has legally and explicitly obtained the User’s consent;
2. The Company is exercising its rights and its obligations under an agreement with the User;
3. The Company needs to exercise authority or fulfill obligations in accordance with prevailing laws and regulations or orders from authorized institution;
4. The Company needs to fulfill the vital interests of the User;
5. The Company needs to perform tasks in the public interest and/or public services; or
6. The Company needs to fulfill any legitimate interests, with regard to a balance between interests of the Company and rights of the User.

PERSONAL DATA MANAGEMENT

We are committed to storing and managing User’s Personal Data with the highest level of protection for as long as necessary to provide our services. We will process User’s Personal Data while User remains a Customer or user of our services. Thereafter, User’s Personal Data will be retained according to our retention period upon the termination of business relationship with the User, or for a longer period if such retention is required or necessary under prevailing regulations.

The Company may delete and/or destroy the User’s Personal Data from our systems so that the data no longer identifies the User, except in the following cases:

1. When it is necessary to retain the Personal Data to fulfill legal obligations, such as for future evidentiary purposes, taxation, audits, and accounting; and/or
2. The Personal Data is still within the retention period in accordance with prevailing laws and regulations.

When destroying Personal Data, we will take adequate standard security measures to destroy, delete, and render such Personal Data to be practically irrecoverable. The specific method of destruction will depend on the type of Personal Data being destroyed, as well as how it was collected and stored.

INFORMATION SHARING

Where necessary, we may share User’s personal information within the Business Group and/or any third parties that collaborate with us and/or the Business Group in carrying out the Company’s business activities ("Business Partners"), for the purposes set out in the Use of Personal Data section. We may also disclose User’s Personal Data to financial supervisory institutions, legal entities, authorities, or Government in accordance with the provisions of prevailing laws and regulations.

For the purposes of Personal Data Processing as described in the Use of Personal Data section, we may process User’s Personal Data outside of Indonesia. In the event of transferring User’s Personal Data outside of Indonesia, we will ensure that the destination country has a level of Personal Data protection that is equal to or higher than the level of Personal Data protection provided in Indonesia. If the destination country doesn’t have an equivalent or higher level of Personal Data protection, we will implement adequate and binding protection (such as entering into contracts with the recipient of the User’s Personal Data and/or applying written terms and/or instruments), or if such protection cannot be fulfilled, the Company may still transfer the Personal Data outside of Indonesia based on the User’s consent.

The Company has implemented Personal Data protection measures that are reviewed periodically to ensure the security of User’s Personal Data and to ensure that User can obtain its rights as Personal Data Subjects in accordance with prevailing regulations. If User requests details on Personal Data protection measures, such information can be provided upon request.

Please note that the transfer of Personal Data outside of Indonesia is not entirely secure. While we have made our best efforts to protect User’s Personal Data, there remains a possibility that such transfer processes may be subject to interference by unauthorized parties. In conducting the Personal Data transfer outside of Indonesia, the Company will make its best efforts to conduct the transfer process of User’s Personal Data using proper, reliable, and secure electronic systems to protect User’s privacy rights over Personal Data.

PERSONAL DATA SECURITY

We are committed to ensuring that the User’s information or Personal Data obtained through the Company’s services, remains secure throughout the Personal Data Processing period (and during the Retention Period). To implement this commitment, the Company has established procedures and utilizes electronic systems equipped with adequate security measures as required by Prevailing Regulations, such as limiting access to User’s Personal Data that solely can be conducted by authorized parties on a need-to-know basis; ensuring that those who process User’s Personal Data merely conduct so in authorized ways and are obligated to maintain the confidentiality of the User’s information or Personal Data; forming dedicated units responsible for the security of User’s Personal Data; and applying other security measures as required by Prevailing Regulations.

When User accesses the Company’s services or products, User is advised to download the Company’s services or products through the App Store or Play Store and not from links provided by unauthorized parties. In addition, the Company may require User to:

1. Enter a Login Password and/or Transaction PIN and/or biometric access prior to logging into the Company’s Services;
2. Maintain the confidentiality of User’s Login Password and/or Transaction PIN and not to disclose it to anyone; and
3. Contact the Company in the event User’s Login Password and/or Transaction PIN is blocked, and follow the Company’s instructions to reactivate the Company’s Services or products.

Please note that the transmission of information online is not entirely secure. While we have made our best efforts to protect User’s Personal Data, there remains a potential risk to the security of data/information that User transmitted through the networks used by User. Once we receive the data/information from the User, we will apply strict procedures and secure features as part of our efforts to prevent unauthorized access.

In the event of unauthorized access or illegal activities affecting the confidentiality of User’s Personal Data that are beyond the Company’s control, the Company will promptly notify User at the earliest opportunity so that User may take appropriate measures to mitigate the resulting risks.

User is responsible for maintaining the confidentiality of its information and Personal Data details, including usernames, passwords, email, and OTPs, and must not disclose them to anyone. User is also responsible for maintaining and ensuring the security of the devices User uses.

USER RIGHTS

User has the right to:

1. Access and request a copy of User’s Personal Data, including obtaining and/or utilizing User’s Personal Data in a form that is conforms to the structure and/or commonly used or readable by electronic systems, for which we reserve the right to charge a reasonable fee to fulfill such requests.
2. Request to rectify inaccurate data, complete the incomplete Personal Data, and update Personal Data. However, we may not accommodate requests to amend Personal Data if we believe such changes would violate the provisions of law and regulations or any legal requirements or render the information inaccurate.
3. Submit complaints to the data protection authority or other independent regulators concerning our use of User’s Personal Data, and request the right to receive compensation and the obligations that must be fulfilled by Personal Data Controller in the event of Personal Data Processing violation.
4. Request to cease processing, erasure, and/or destroying User’s Personal Data if User’s Personal Data is no longer necessary for the purposes specified in the Use of Personal Data section, or if there is no legal basis for the Personal Data Processing, or if such action is not restricted by applicable provisions. Upon receiving requests for cessation, erasure, and/or destroying, we will provide an acknowledgement of receipt and confirm once the User’s Personal Data has been deleted and/or destroyed as required by Prevailing Regulations. As a consequence, User may no longer be able to receive/utilize our Services if User conduct erasure/destroying Personal Data, whether partially or entirely.
5. Object due to our use of User’s Personal Data for direct marketing purposes (including related profiling) or other processing based on legitimate interests.
6. Object due to decisions made solely based on automated processing, including profiling, that produce legal effects or significant impacts on the User.
7. Where relevant, User may proportionally suspend or restrict the User’s Personal Data Processing. When such restriction is not feasible, we will notify User accordingly. However, User will still be able to exercise other rights as described in this Privacy Notice, including withdrawing User’s consent to process User’s Personal Data, to the extent that User has considered and accepted any potential consequences related to the provision of products and/or Services (if applicable).
8. Where processing is based on consent, User may withdraw User’s consent at any time regarding the User’s Personal Data Processing conducted by us. Upon receiving such withdrawal of consent, we will confirm receipt and proceed to cease the processing User’s Personal Data, to the extent that User has considered and accepted any potential consequences related to the provision of products and/or services (if applicable).

If User aim to exercise its rights, or seek clarification regarding User’s rights, please contact us through one of the communication channels listed in the Contact Us section.

EXERCISING USER’S RIGHTS

To exercise User’s rights, User may submit a request by contacting us through one of the channels listed in the Contact Us section. The exercise of certain rights may result in consequences related to the provision of Services; therefore, we will confirm the User's request and/or application for the exercise of User’s rights might not be able to fulfill if exceptions to the exercise of such User’s rights are permitted under Applicable Regulations. Furthermore, we will make best efforts to exercise of the User's rights and/or provide confirmation and/or respond to the User's request within the predetermined period of time set forth by Applicable Regulations, specifically no later than 3x24 (three times twenty-four) hours from our receipt, among others:

1. request to withdrawal consent for the Personal Data Processing;
2. request to rectify Personal Data;
3. request to access Personal Data; and/or
4. request for a copy of Personal Data.

Any exercise of User’s rights as a Personal Data Subject related to alleged violations by the Company in the Personal Data Processing, must be submitted in writing to the Company in accordance with the terms and conditions required under the Applicable Regulations. The Company will then act and/or respond to the User’s request within 3x24 (three times twenty-four) hours or within another period of time permitted by Applicable Regulations and/or prevailing civil procedural law, starting from the Company’s receipt of the report on Personal Data protection incident from the User, along with the selection of the court as the forum for dispute resolution.

ACTING ON BEHALF OF OTHERS

User is required to provide accurate data, information, and Personal Data to the Company. Failure to provide certain data and/or information may result in the Company being unable to provide full services to the User. When User provides us with Personal Data about another person (or an individual), the User represents that the User has been duly appointed and authorized by that individual to provide others’ Personal Data and/or act on their behalf, and the User ensures and warrants that the individual has understood and agreed that its Personal Data will be further processed in accordance with the Prevailing Regulations. This includes providing consent for:

1. Our processing of their Personal Data and specific types of Personal Data (as described in the Acquisition and Collection of Personal Data" section above); and
2. The User receiving information protection notices on their behalf.

PRIVACY OF PERSON WITH DISABILITIES

We may collect User with Disabilities’ Personal Data by communicating with and obtaining consent from the User with Disabilities and/or their guardians in accordance with the provisions of prevailing laws.

DIRECT MARKETING

We may send information about our products and/or services, as well as carefully selected third parties’ services through official Company’s channels or direct communication tools with User, including via mail or electronic tools such as telephone, email, social media, or other electronic media, detailing products, services, and any special offers. We will solely conduct this if the User has given consent for us to contact them through electronic or non-electronic tools.

Withdrawal of consent to receive direct marketing, whether through electronic or non-electronic media can be conducted by using one of the channels listed in the Contact Us section. Upon receiving the withdrawal request, we will confirm receipt and proceed to cease User’s Personal Data Processing for such purposes. Please note that if the User chooses not to receive one kind of direct marketing, we still reserve the right to send the User messages related to our services or other products or services that the User utilizes.

CONTACT US

Users may contact us through the following channels: