PRIVACY POLICY
1. General Information
The purpose of this Privacy Policy (hereinafter – the Policy) is to provide natural persons – data subjects – with clear, understandable, and transparent information about how AS NORD Credit, registration No. 40103472462, legal address: Bīskapa gāte 2, Rīga, LV-1050 (hereinafter – the Controller), processes personal data in the course of providing lending services.

This Policy has been prepared in accordance with:

• Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR),
• the Law on the Processing of Personal Data of Natural Persons,
• guidelines of the Data State Inspectorate (DVI),
• guidelines of the Consumer Rights Protection Centre (PTAC) in the field of consumer lending.

Who are we?
The joint-stock company NORD Credit, registration No. 40103472462, and the companies of its group – parent companies, subsidiaries, as well as sister companies – hereinafter referred to as “we”, “our”, “us”.

Our group of companies includes SIA NORD līzings LP, registration No. 40203081542, the limited liability company Biznesa Izaugsmes Fonds, registration No. 50203080661, and the joint-stock company Grand Credit, registration No. 50003952521 (hereinafter – the Group Companies).

Purpose of the Policy
The purpose of this Policy is to explain to data subjects how we, as the controller of your personal data, process your personal data, as well as to inform you how you can contact us, including for the purpose of exercising your rights guaranteed by applicable laws and regulations.

Since the regulatory framework governing the protection of personal data of natural persons sets a general objective to ensure individuals’ privacy, and the only way to achieve this objective is to make personal data protection an integral part of the activities of both private and public law entities, we ensure that all personal data that comes into our possession is properly protected and kept secure. Appropriate protection includes the use of necessary technical and organizational measures and the processing of personal data in compliance with applicable legal requirements.
The terms used in this Policy have the same meaning as defined in Article 4 of the General Data Protection Regulation (hereinafter – the Regulation).

We encourage all data subjects to periodically review this Policy carefully in order to obtain up-to-date information about the personal data processing activities carried out by us as a data controller, as these processes may change over time.

2. Data Controller and Contact Information
Personal data controller:
AS NORD Credit
Registration No.: 40103472462
Address: Bīskapa gāte 2, Rīga, LV-1050
Email: nordcredits@nordcredits.lv
Phone: +371 28646461
For any questions related to the protection of personal data, you are invited to contact us:

• by email at juristi@nordcredits.lv (with the note “to the data protection specialist”), or
• in writing to our legal address Bīskapa gāte 2, Rīga, LV-1050 (with the note “to the data protection specialist”).

3. Scope of the Policy
This Policy applies to:

• existing, former, and potential clients;
• persons applying for lending services;
• guarantors, co-borrowers, and payers;
• visitors to our website;
• visitors to our office located at Bīskapa gāte 2, Rīga, including processing carried out within the scope of video surveillance;
• persons whose data is processed on social media in connection with our marketing activities, including recipients of our commercial communications (newsletters);
• persons wishing to apply for our advertised vacancies, as well as persons whose data has been provided to us by applicants (e.g., referees);
• contact persons and representatives of our cooperation partners and service providers;
• persons who contact the Controller;
• any other persons who, in any manner, provide us with their personal data for any of the data processing purposes specified in this Policy.

4. Our role
To carry out certain data processing activities, we, the Group companies, are considered joint controllers. We jointly process data in order to assess your application for our Services, evaluate your creditworthiness and credit history (to the extent permitted by the rules governing the use of specific credit history databases), as well as for marketing and advertising activities.
Our mutual agreement, in brief, provides that:

• each company ensures compliance with personal data protection legislation, including maintaining the required documentation, providing information to data subjects, implementing technical and organizational security measures for personal data, and meeting other applicable requirements;
• the data subject has the right to contact any of the companies to exercise their rights, including obtaining information on how their personal data is processed. The company that is the initial recipient of the personal data and/or that provides the Service to the Client will provide the necessary information to the data subject;
• the joint controllers cooperate with each other in fulfilling their legally prescribed obligations as data controllers, including providing each other with the necessary assistance and information.

With regard to other data processing purposes mentioned in this Policy, the controller of your personal data is the company with which you have a contractual relationship and whose services you use or have expressed an intention to use.
To obtain more detailed information about data processing carried out by the joint controllers, you may contact our data protection specialist by writing to juristi@nordcredits.lv.

5. Categories of personal data
The categories of personal data processed depend on the purposes of the data processing; however, in general, we, as the controller, process the following categories of personal data:

1. Identification data:
first name, last name, personal identification number, date of birth, information contained in identity documents

2. Residence data:
address, place of residence

3. Contact information:
phone number, email address, declared address, residential address

4. Professional data:
information about education, profession or occupation, work experience, and characteristics describing the data subject

5. Financial data, including data used to assess credit repayment capacity prior to entering into a loan agreement:
information about financial status (income and expenses), income history, information on financial liabilities, credit history, information on circumstances that may affect changes in income, information on sources of income, information on existing loans, credits, mortgages and/or debts, income information provided by the employer, information on social security contributions and periods, information on maintenance (alimony) debts, bank information and bank account numbers, number of bank accounts, bank account statements and transaction history, including cash flow information, as well as other information that may be necessary to achieve the stated purpose.

6. Information obtained through video surveillance:
digital images and related information

7. Family information:
data about family members, marital status, information about children and/or dependants

8. Information we are required to process under legal obligations, including in relation to consumer lending:
data resulting from information requests received from the Consumer Rights Protection Centre, sworn bailiffs, investigative authorities, the State Revenue Service, courts, and other authorities

9. Information processed on social media:
social media profiles and publicly available information contained therein

10. Other information voluntarily provided by you that may contain personal data:
if you contact us, for example by submitting a question, we retain all relevant information, including the content of the communication

If you voluntarily provide us with personal data, please take into account the purpose for which such personal data is submitted and limit the amount of personal data provided to what is necessary to achieve that purpose. We kindly ask that personal data be provided only to the extent required for the purpose of the respective message, request, or inquiry, and we strongly encourage you not to provide health data or other special (sensitive) categories of personal data, as well as any excessive or irrelevant personal data unrelated to the specific matter.

6. Purposes of personal data processing and legal basis
Personal data is processed solely for specific and legitimate purposes:

6.1. Provision of lending services
Primarily, we process your personal data in order to provide services to you and to decide on the conclusion and performance of a contract. Please note that consumer lending in the Republic of Latvia is a strictly regulated service, and the legislator has imposed a number of obligations on us that must be fulfilled in order to enter into a contract.

Within the scope of fulfilling these obligations, we are required to collect a certain amount of information from you, including personal data, for example, to assess your loan application (including identifying you, evaluating your ability to repay the loan, and carrying out various risk checks and assessments), as well as to prevent irresponsible lending.

Your personal data may be processed for the following purposes:

1. For the provision of services:identification of the client;

• preparation and conclusion of contracts;
• performance of contractual obligations;
• development of new services;
• promotion and distribution of services;
• customer service;
• administration and maintenance of services;
• handling objections or complaints;
• customer retention, loyalty building, and satisfaction measurement;
• administration of settlements and payments;
• maintenance and improvement of websites;
• marketing activities, including the sending of commercial communications.

2. For business planning and analytics: ensuring commercial operations.

3. To ensure the safety of clients, employees, officers, and other persons, as well as to protect our property and interests as a legal entity:ensuring information security;

• ensuring the security of information systems;
• ensuring employee safety;
• ensuring property security;
• prevention and detection of fraud;
• prevention of money laundering;
• prevention of terrorist financing and the financing of the proliferation of weapons of mass destruction;
• prevention of misuse of services.

4. For other specific purposes for which the Client’s consent is usually obtained or the Client is given the opportunity to object to data processing, for example, for the sending of commercial communications.

5. For the exercise of our legitimate interests, for example, for the assertion of claims and debt recovery.

6. For the provision of information to state and municipal authorities, law enforcement agencies, and other public authorities —in cases and to the extent prescribed by law, for example, in response to requests from competent public authorities.

7. For the purposes of personnel recruitment:processing of personal data provided in CVs and motivation letters in order to assess suitability for a vacancy, conduct interviews, and obtain references.

In all cases, we process personal data in our possession only where there is a clearly defined purpose for such processing and where the processing is justified by one or more of the legal bases set out below.

6.2. Fulfilment of legal obligations
1. Conclusion and performance of a contract (Article 6(1)(b) of the Regulation)
Processing of personal data carried out for the purpose of taking steps prior to entering into a contract, concluding a contract between you and us, and performing such contract.
2. Compliance with legal and regulatory requirements (Article 6(1)(c) of the Regulation)
Processing of personal data carried out in connection with the fulfilment of legal obligations imposed on us by applicable laws and regulations.
3. Our legitimate interests as a service provider (Article 6(1)(f) of the Regulation)

• conducting commercial activities;
• verification of identity prior to the provision of services;
• storage of applications and requests for services;
• actions aimed at attracting and/or retaining clients;
• segmentation of the client database to ensure more effective service provision;
• development and improvement of services;
• promotion of our products and services, including the sending of commercial communications;
• sending other messages regarding the performance of the contract and significant events related to its performance, as well as conducting client surveys on products, services, and user experience;
• prevention of fraudulent activities against the company;
• ensuring corporate governance, financial and business accounting, and analytics;
• ensuring efficient company management processes;
• ensuring and improving service quality;
• administration of payments;
• video surveillance for the purposes of business, personal, and property security;
• informing the public about our activities.

4. Prior consent of the data subject (Article 6(1)(a) of the Regulation)
Processing of personal data carried out on the basis of your consent, expressed through an active action, including contacting us and providing your personal data or performing other active actions.
Consent to the processing of personal data where the legal basis is consent (for example, for receiving commercial communications or personal data analysis) is given in written form, for example, on our website or elsewhere.
You have the right to withdraw your consent at any time in the same manner in which it was given. In such case, further processing of personal data based on the previously given consent for the specific purpose will no longer be carried out. Please note that withdrawal of consent does not affect the lawfulness of processing carried out while the consent was valid, nor does it terminate processing based on other legal grounds.
5. Protection of vital interests of natural persons (Article 6(1)(d) of the Regulation)
Processing of personal data carried out in emergency situations for the purpose of protecting the vital interests of the data subject or another natural person.

6.3. Intra-group administrationPersonal data may be transferred within the Controller’s group of companies — to the parent company, subsidiaries, and sister companies — for the purposes of ensuring:

• centralized risk and credit portfolio management;
• internal audit;
• IT and customer service functions;
• compliance with regulatory requirements.

Legal basis: Article 6(1)(f) GDPR — the legitimate interests of the Controller and the group.

7.  Recipients of personal data
Personal data may be transferred to:

• group companies;
• credit information bureaus;
• debt collection service providers;
• IT, cloud service, and payment service providers;
• state and municipal authorities in cases provided for by law.

Data processing agreements compliant with Article 28 GDPR are concluded with all personal data processors.
We do not disclose to third parties any information obtained during the provision of services and the term of the contract, including information about services received, except in the following cases:

1. where you have explicitly consented to such disclosure;
2. to persons specified in external legal acts, upon their substantiated request, in the manner and to the extent prescribed by such legal acts;
3. in cases provided for by external legal acts to protect our legitimate interests, for example, by applying to a court or other public authorities against a person who has infringed our legitimate interests.

We never transfer personal data to other parties if there is no legal basis for such transfer or no predefined purpose of personal data processing, or if such third parties, considering the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, are unable to transparently ensure appropriate technical and organizational measures and demonstrably show that personal data processing complies with applicable laws, and/or are unable to provide reasonable guarantees of data security and the protection of data subjects’ rights.
For the purposes of fulfilling various personal data processing objectives, personal data may be transferred or made available to:

1. our employees or specially authorized persons acting in our interests, where their duties or authorization involve personal data processing;
2. municipal authorities, courts, and law enforcement bodies, upon their substantiated request, in the manner and to the extent prescribed by law;
3. personal data processors under appropriate data processing agreements (e.g., IT service providers, payment service providers);
4. recipients operating in the field of credit information and/or debt recovery (e.g., debt recovery service providers, credit information bureaus);
5. in certain cases, other cooperation partners involved in organizing and ensuring our operations, such as:
6. a) sworn advocates and other legal advisers;
7. b) our auditors and accountants;
8. c) service providers ensuring the operation of our website and the provision of our services;
9. d) archival service providers;
10. e) recipients operating in the fields of fraud prevention, anti-money laundering, and counter-terrorist financing, etc.

8. Do we transfer data outside the European Union / European Economic Area (EEA)?
Being aware of risks beyond our control associated with the transfer of personal data outside the EEA or to countries that have not been recognized by the European Commission as ensuring an adequate level of data protection, we strive not to transfer your personal data outside the EEA.
However, in certain cases—particularly when using the services of specific data processors or service providers—personal data processing may take place outside the EEA. In such cases, data transfers are carried out in accordance with Chapter V of the GDPR, using standard contractual clauses adopted by the competent EU authority, together with additional technical and organizational safeguards.

9. Do we carry out automated decision-making?
We carry out customer profiling, i.e. the evaluation of customers based on certain parameters such as economic situation, personal preferences, interests, behavior, etc., in order to assign customers to one of our defined customer categories based on this assessment.
Automated decision-making refers to the making of certain decisions by technical, automated means, using data provided by the customer or information obtained as a result of profiling.
We may make automated decisions in order to process your application, assess your creditworthiness and risk level, evaluate the possibility of providing you with the Service, determine the maximum loan amount, assess and prevent fraud risks, and fulfil our obligations to comply with anti-money laundering, counter-terrorist financing, and proliferation financing prevention requirements.
We make automated decisions when assessing your creditworthiness. This allows us to automatically evaluate and offer you the most suitable services we provide. As a result, your loan application may be automatically rejected, or you may be offered an individual interest rate based on our risk assessment algorithms. We regularly review our algorithms and service provision conditions to prevent errors and inaccuracies in assessments. You have the right to request that your application be reviewed by a natural person rather than an automated system; however, a repeated review of the application does not guarantee a different outcome.
In addition, we may use profiling to offer you the most suitable services, personalized marketing and commercial offers, including discounts and special conditions, as well as to carry out customer analysis.
Automated decision-making is carried out on the basis of:

• our legal obligation to assess clients’ creditworthiness and to comply with anti-money laundering and counter-terrorist financing regulations;
• the necessity to conclude a service contract and to take steps prior to the conclusion of such a contract, including ensuring a faster and more efficient contract conclusion process;
• our legitimate interests in preventing fraud risks and providing you with more suitable solutions, communications, and offers.

10. What are your rights?
The Regulation grants you a number of rights, which you may exercise by contacting us in the manner described below:

• to request access to your personal data and receive a copy of your personal data;
• to request the supplementation, correction, or deletion of your personal data;
• to request restriction of the processing of your personal data, as well as the right to object to such processing;
• to receive your personal data and related information in a structured, commonly used, and machine-readable format, i.e. the right to data portability.

You may submit a request to exercise your rights in the following ways:

• in writing, by sending it to our legal address: Bīskapa gāte 2, Rīga, LV-1050 (marked “for the Data Protection Specialist”), or
• by email, signed with a secure electronic signature and sent to: juristi@nordcredits.lv.

Upon receiving your request to exercise your rights, we will first verify your identity. If necessary, we may request additional information required to identify you or ask you to clarify your request if it is unclear or insufficiently formulated.
We will provide our response within one month from the date of receipt of your request (please note that in exceptional cases we are entitled to extend the response period by an additional two months; in such cases, we will inform you in advance). Our response will be sent to the contact address indicated by you, either by registered mail or by email signed with a secure electronic signature.
If you have reason to believe that we are violating your rights in the processing of your personal data, you have the right to contact the supervisory authority — the Data State Inspectorate of Latvia.
The address of the Data State Inspectorate is Elijas iela 17, Rīga, LV-1050. More detailed information is available at www.dvi.gov.lv, by phone at +371 67 22 31 31, or by email at pasts@dvi.gov.lv.
We encourage you to contact us before submitting an official complaint, in order to resolve the issue as quickly and efficiently as possible.
We are committed to ensuring the accuracy of personal data and rely on our Clients, suppliers, and other third parties who provide personal data to ensure that the data submitted is complete and accurate.

11. Why do you receive advertising from us?
In certain cases, we may process your personal data for the purposes of direct marketing. We may send you the following by email:

1. information about news, our offers, and similar updates;
2. invitations to participate in events organized by us, including sending summaries and conclusions related to such events;
3. invitations to participate in various surveys, interviews, and similar activities;
4. invitations to complete feedback or review forms.

At the same time, please note that we will process your personal data for direct marketing purposes only in the following two cases:
a) where we have received your explicit, clear, and prior consent (i.e., you have voluntarily subscribed to receive direct marketing communications and thereby provided your personal data, such as your email address, first name, and last name — the so-called “opt-in” principle); or
b) where you are already our client and have not expressly objected to the processing of your previously provided personal data (email address, first name, last name) for the purpose of receiving direct marketing communications about similar services offered by us (i.e., in this case, we use your email address previously obtained from you in the course of commercial activities — the so-called “soft opt-in” principle).
Please also note that you have the right to opt out of receiving direct marketing communications at any time. You may do so in the following ways:

1. by selecting the free opt-out option indicated in the relevant direct marketing message;
2. by submitting a written request to our legal address: Bīskapa gāte 2, Rīga, LV-1050 (marked “for the Data Protection Specialist”); or
3. by sending an email signed with a secure electronic signature to: juristi@nordcredits.lv.

12. Have you applied for a vacancy with us?
In addition to the other information provided in this Policy, please note that:

• we collect CVs (curricula vitae) and any accompanying documents from applicants;
• we contact the applicant and the referees indicated by the applicant in order to obtain references;
• with the applicant’s consent, we retain CVs for consideration in other recruitment processes;
• in order to protect our legal interests, we retain data to respond to claims and legal proceedings.

For recruitment purposes, we require the following personal data: the applicant’s first name and last name, contact details (email address, telephone number), education and previous work experience, details of persons who can provide references and their contact information, references about the applicant, as well as any other information that may be relevant to the performance of the specific position and to identifying the most suitable candidate.
Information provided in the context of filling a vacancy is retained for 6 months after the conclusion of the recruitment process in order to safeguard against potential claims and legal proceedings.
If you have previously consented to the retention of your information for consideration for other vacancies, such documents will be stored for 1 year from the date of submission.

13. Personal data retention periods
We store and process personal data as long as at least one of the following criteria applies:

1. only for as long as the concluded contract is in force and/or the service is being provided;
2. the data is necessary for the purpose for which it was collected;
3. until the matters referred to in your application, complaint, or claim have been fully reviewed and/or resolved;
4. for as long as we or you may exercise our legitimate interests in accordance with applicable laws (for example, by submitting objections or initiating legal proceedings);
5. for as long as we are subject to a legal obligation under applicable laws to retain the data;
6. for as long as your consent to the relevant personal data processing remains valid, where no other lawful basis for processing exists.

Once the above circumstances cease to apply, the Client’s personal data is deleted.

14. Rights of the data subjectThe data subject has the right to:

• access their personal data;
• request the rectification or erasure of personal data;
• restrict the processing of personal data;
• object to the processing of personal data;
• data portability;
• withdraw consent at any time;
• lodge a complaint with the Data State Inspectorate of Latvia (www.dvi.gov.lv).

15. How do we ensure the security of personal data?
The Controller implements appropriate technical and organizational measures to ensure the confidentiality, integrity, and availability of personal data.
The security of personal data is our absolute priority; therefore, we process personal data using modern technological solutions, taking into account existing privacy risks and the organizational, financial, and technical resources available to us.
As a personal data controller, we ensure:

1. Confidentiality of personal data by ensuring that personal data is processed (including accessed) only by persons who require such access for the performance of their job duties. Our representatives who, in the course of their daily work, handle information containing personal data are trained in personal data protection measures and are contractually bound to comply with confidentiality obligations;
2. Appropriate technical and organizational measures for the protection of personal data. Such measures, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, may include, where appropriate, personal data pseudonymization, data minimization, physical and logical data protection measures in the working environment, data backups, and other safeguards;
3. Use of only verified, licensed, and up-to-date software. We regularly review, update, and improve our technical and organizational measures;
4. Data security through technical solutions, such as data encryption (SSL), firewalls, intrusion prevention, and intrusion detection software;
5. Involvement of certified data protection specialists in personal data processing and in the implementation of personal data protection measures.

16. Amendments to the PolicyThe Controller is entitled to amend this Policy at any time. The current version of the Policy is always available on the Controller’s website.
Effective as of 10 December 2025