1. POLICY STATEMENT

At Own Bank, The Rural Bank of Cavite City, Inc. ("we," "our," "us," the "Bank," or the "Group"), we value and respect the privacy of our clients, employees, partners, and stakeholders. We are committed to protecting personal data in compliance with Republic Act No. 10173, or the Data Privacy Act of 2012 ("DPA"), its Implementing Rules and Regulations, and all relevant issuances of the National Privacy Commission ("NPC").

This Group Data Privacy Policy outlines how we collect, use, process, store, disclose, retain, and dispose of personal data. It also explains the rights of data subjects and how we ensure data protection and compliance within the organization.

1. SCOPE

This Policy applies to all personal data collected and processed by the Group in connection with its operations, services, and interactions with customers, employees, job applicants, suppliers, contractors, and other third parties.

1. COLLECTION OF PERSONAL DATA

We may collect personal data through the following means:

1. Visits to or interactions with our branches, offices, websites, and digital platforms;
2. Clicks on Group advertisements on third-party platforms;
3. Use of our mobile apps and online services;
4. Entry to our premises or use of our facilities;
5. Submission of application forms and documents;
6. Transactions such as account openings, loans, payments, and fund transfers;
7. Communications through calls, emails, chats, and other support channels;
8. Participation in marketing, promotional, or corporate events;
9. Data sharing with third parties (e.g., credit bureaus, public databases, government agencies) in accordance with the law.

1. TYPES OF PERSONAL DATA COLLECTED

Depending on your relationship with the Group, we may collect:

1. Identifiers (name, birthdate, nationality, contact details, etc.);
2. Government-issued IDs (e.g., TIN, UMID, Driver’s License, etc.);
3. Financial data (e.g., account balances, transaction history, etc.);
4. Biometric data (e.g., facial image, fingerprints, voice, etc.);
5. Online identifiers (e.g., IP address, geolocation, etc.);
6. CCTV footage;
7. Employment and professional data;
8. Other personal information relevant to our risk and suitability assessments.

1. PURPOSE OF PROCESSING

We process personal data for legitimate business and regulatory purposes, including:

1. Account servicing and administration;
2. KYC and AMLA compliance;
3. Transaction processing and validation;
4. Customer support and engagement;
5. Security, fraud detection, and crime prevention;
6. Marketing and customer communication (with consent);
7. Product and service development;
8. Credit assessment and risk management;
9. Internal operations and reporting;
10. Engagement of service providers and business partners.

1. DISCLOSURE OF PERSONAL DATA

We may disclose personal data to:

1. Other Group members and authorized personnel;
2. External service providers under data sharing agreements;
3. Regulatory agencies (e.g., BSP, AMLC, NPC, BIR);
4. Law enforcement agencies as required by law;
5. Courts and authorities with jurisdiction;
6. Third parties in mergers, acquisitions, or similar corporate events.

1. COOKIES AND WEB ANALYTICS

We use cookies and similar technologies to:

1. Improve website functionality and user experience;
2. Analyze traffic patterns and usage behavior;
3. Personalize content and advertising. Users may disable cookies via browser settings, but this may limit website functionality.

1. DATA RETENTION AND DISPOSAL

Personal data will be retained for at least five (5) years from the date of transaction or account closure, or longer if legally required. After this period, data will be securely disposed of or anonymized.

1. AUTOMATED DECISION-MAKING AND PROFILING

We may use AI and other automated tools for:

1. Credit scoring and risk analysis;
2. Fraud monitoring;
3. Tailoring of products and services. Such systems are subject to safeguards and human oversight. Data subjects may request human review of significant decisions.

1. PERSONAL DATA BREACH MANAGEMENT

In the event of a personal data breach likely to result in serious harm:

1. We will notify the NPC and affected data subjects within 72 hours;
2. Notification will include breach details, compromised data, remediation steps, and DPO contact information.

1. RIGHTS OF DATA SUBJECTS

Under the DPA, data subjects have the right to:

1. Be informed;
2. Object to processing;
3. Access their data;
4. Rectify inaccurate data;
5. Erase or block data under certain conditions;
6. Data portability;
7. File a complaint with the NPC;

1. DATA SECURITY MEASURES

We implement organizational, physical, and technical measures, including:

1. Information security frameworks and policies;
2. Access controls and authentication mechanisms;
3. Use of firewalls, encryption, antivirus, and monitoring systems;
4. Staff training on privacy and cybersecurity;
5. Regular security testing and system audits.
6. Data Privacy Impact Assessment - We conduct Data Protection Impact Assessments (DPIAs) for processing operations that are likely to result in high privacy risks, such as automated decision-making, profiling, data sharing with third parties, or use of AI. DPIAs are part of the Bank’s risk assessment and mitigation process.

13. THIRD PARTY SERVICE PROVIDERS

External third-party service providers are required to comply with applicable data protection laws and contractual obligations. The Bank shall:

a. Perform due diligence before engagement;

b. Require vendors to sign Data Sharing or Outsourcing Agreements;

c. Monitor vendor compliance through periodic reviews or audits;

d. Require immediate breach notification and support in remediation.

14. DATA LOCALIZATION AND CROSS BORDER TRANSFERS

Personal data may be transferred to and processed in jurisdictions outside the Philippines when using outsourced or cloud-based services. The Bank shall ensure that appropriate safeguards are in place, including binding corporate rules, standard contractual clauses, or equivalent measures, to protect the privacy and rights of data subjects.

15. GOVERNANCE AND OVERSIGHT

The Board of Directors and Senior Management shall exercise oversight over data privacy risk management. They are responsible for:

a. Approving and regularly reviewing the Data Privacy Policy;

b. Ensuring that privacy risks are considered in strategic decisions;

c. Monitoring the Data Protection Officer's (DPO) independence and performance;

d. Overseeing the implementation of data protection controls and breach response mechanisms.

The DPO shall report privacy risks, incidents, and compliance status to the Board or designated oversight committee at least annually.

1. POLICY REVIEW AND UPDATES

This policy shall be reviewed and updated as necessary to reflect regulatory changes or operational requirements. The latest version will be published on the Group’s website.

1. CONTACT INFORMATION

For questions, concerns, or data privacy requests, contact:

Data Privacy Officer

Own Bank, The Rural Bank of Cavite City, Inc.

dpo@ownbank.com.ph

Effective Date: June 2025

GROUP DATA PRIVACY STATEMENT

At Own Bank, The Rural Bank of Cavite City, Inc. (“we,” “our,” “us,” the “Bank,” or the “Group”), your privacy is important to us, and we are dedicated to safeguarding it. We are committed to protecting the personal data you provide to us and to ensuring your rights under Republic Act No. 10173, or the Data Privacy Act of 2012 ("DPA"), its Implementing Rules and Regulations, as well as other relevant laws, rules, and regulations issued by the National Privacy Commission ("NPC").

This Data Privacy Statement outlines how we collect, use, process, store, disclose, retain, and dispose of your personal data. It also details your rights and how we safeguard your information.

How We Collect Information

We collect your personal data through various means, including:

• When you visit or interact with our offices, branches, websites or digital platforms;
• When you click on a Group advertisement on a third-party website or platform;
• When you use any of our mobile applications or online services;
• When you enter our premises or use our facilities;
• When you open an account or avail of any of our products or services;
• When you submit application forms, documents, and other correspondence;
• When you make transactions with us, including payments and fund transfers;
• When you contact us for concerns, inquiries, feedback, or complaints;
• When you attend any of our marketing, promotional, or corporate events;
• When we obtain data from third parties, such as credit bureaus, public databases, government agencies, or our business partners, in accordance with applicable laws.

Personal Data We May Collect

Depending on your relationship with the Group and the services you use, the following personal data may be collected:

• Identifiers: Full name, date and place of birth, nationality, gender, marital status, contact numbers, residential and/or business address, email address, education, occupation, employer, source of income, etc.;
• Government-issued identifiers: TIN, SSS/GSIS, UMID, PhilHealth, Passport, Driver’s License, etc.;
• Financial data: Account numbers, account balances, income, assets, investments, credit data, payment history, transaction records, etc.;
• Biometric data: Facial images, fingerprints, signature, voice recordings (from customer support calls), etc.;
• Online identifiers: IP address, device ID, browser type and version, cookies, geolocation data, etc.;
• Images and audio captured via CCTV in our premises;
• Employment and professional information;
• Personal circumstances that may be relevant to creditworthiness, suitability assessment, or risk profiling.

Why We Collect and Process Your Personal Data

The Group may use and process your personal data for the following legitimate purposes:

• Service Provision: To provide, operate, and administer your accounts, loans, investments, deposits, or other products/services you avail from us;
• KYC and Compliance: To fulfill know-your-customer (KYC) obligations, perform due diligence checks, and comply with legal and regulatory requirements including but not limited to those under the Anti-Money Laundering Act (AMLA), FATCA, and BSP regulations;
• Transaction Processing: To validate and execute your instructions, applications, and transactions;
• Customer Support: To address your concerns, respond to your queries, and manage your requests, including the use of call recordings and chat logs;
• Security and Fraud Prevention: To secure your transactions, protect against unauthorized use or misuse, and prevent criminal activity;
• Marketing and Promotions: To inform you of new products, services, events, and promotions based on your consent and preferences;
• Research and Development: To understand market behavior, improve services, and conduct analytics, profiling, and statistical research;
• Credit Evaluation: To assess your creditworthiness or eligibility for financial services;
• Internal Management: To implement risk management, audit, training, reporting, and other internal business operations;
• Third Party Engagement: To share your data with service providers, affiliates, agents, and partners (including credit bureaus, insurers, and digital solution providers) when necessary to fulfill service delivery and legal obligations.

Disclosure of Personal Data

We may disclose your data to:

• Other members of the Group and their authorized personnel;
• External third-party service providers under data sharing agreements;
• Regulatory bodies such as the Bangko Sentral ng Pilipinas, AMLC, NPC, and BIR;
• Government and law enforcement agencies, when required by law;
• Courts, tribunals, or authorities with competent jurisdiction;
• Business partners, investors, and third parties in case of corporate mergers or acquisitions, subject to confidentiality agreements.

Use of Cookies and Web Analytics

We may collect non-personal data through cookies or similar technologies to:

• Improve user experience on our websites;
• Understand usage behavior and traffic patterns;
• Customize content and advertising based on your preferences.

You may choose to disable cookies through your browser settings; however, some functionalities may be affected.

Retention of Personal Data

We will retain data securely and implement appropriate data retention policies. Your Personal Data will be stored in our system for at least five (5) years from the date of the transaction, except where specific laws and/or regulations require a different retention period, in which case, the longer retention period will be observed.

We will dispose of data securely once it is no longer required and will ensure that appropriate processes are put in place so only Bank colleagues with a business requirement to access such data are authorized and able to do so.

Upon expiration of the retention period, physical and electronic copies of your data will be securely disposed or anonymized in a manner that prevents unauthorized access.

Automated Decision-Making and Profiling

We may use automated systems, including artificial intelligence (AI) and machine learning technologies, to assist in making decisions related to your personal data. This includes activities such as:

• Credit Scoring and Risk Assessment: Evaluating your creditworthiness based on declared and collected data;
• Fraud Detection: Identifying unusual patterns that may indicate fraudulent behavior;
• Personalized Services: Tailoring products, services, and offers based on your profile and preferences.

Automated decisions are made with appropriate safeguards in place and are subject to human oversight to ensure fairness, transparency, and accuracy. You have the right to request human intervention, express your point of view, or contest automated decisions that significantly affect you.

Personal Data Breach Management

A Personal Data Breach refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. A Personal Data Breach shall be subject to notification requirements under the following conditions:

1. The compromised data involves personal data that may be used to enable identity fraud;
2. There is reason to believe that the information may have been acquired by an unauthorized person; and
3. The unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.

The Bank shall notify the National Privacy Commission and affected customers in case of breach within 72 hours upon knowledge of or reasonable belief by the Bank or our third-party processor that a personal data breach has occurred.

In such event, we shall notify you, through a secure means of communication, of the following:

• The nature of the breach;
• Your personal information possibly compromised;
• Measures taken to address the breach and reduce negative consequences;
• Contact details of the government authorities concerned; and
• Contact information of our Data Privacy Officer who can assist you in mitigating possible ramifications that may compromise your rights and privacy.

Your Data Privacy Rights

You are entitled to the following rights under the DPA:

• Right to be Informed – You have the right to know when and how your data is being collected and used;
• Right to Object – You may opt out of marketing or data processing not covered by legal or contractual obligations;
• Right to Access – You may request a copy of your personal data in our possession;
• Right to Rectify – You may ask to correct or update your data if it is inaccurate or outdated;
• Right to Erasure or Blocking – You may request to suspend, withdraw, or delete your data under certain conditions;
• Right to Data Portability – You may obtain and reuse your data for your own purposes across different services;
• Right to File a Complaint – You may file a complaint with the NPC for any violation of your rights;
• Right to Damages – You may claim compensation for damages due to violations of your data privacy rights.

To exercise your rights, please send a written request to our Data Privacy Officer. The Bank shall respond to your requests within fifteen (15) banking days from receipt. Requests may be denied if manifestly unreasonable, excessive, or legally restricted, with reasons provided to the requester.

Security Measures

We adopt stringent security protocols to ensure the confidentiality, integrity, and availability of your data:

• Implementation of information security policies aligned with international standards;
• Access control and authentication procedures to restrict unauthorized data access;
• Use of firewalls, encryption, antivirus programs, and other cybersecurity tools;
• Continuous employee training and awareness on data privacy and cybersecurity;
• Monitoring and logging of system access and activity;
• Regular vulnerability assessments and penetration testing.

Amendments to this Statement

This Privacy Statement may be updated from time to time. The latest version will be published on our official website. We encourage you to review it periodically.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Statement or how your data is processed, please contact:

Data Privacy Officer

Own Bank, The Rural Bank of Cavite City, Inc.

dpo@ownbank.com.ph

This Data Privacy Statement is effective as of June 2025 and remains in force until amended.

Policy Review

This policy is to be reviewed annually, or as required, in order to ensure that the procedures are current, fair and representative of relevant corporate, industry, or regulatory conditions.

--SIGNATURE PAGE TO FOLLOW--