4131-4032-8235.3

PRIVACY NOTICE

This version is effective from: September 15

2025.

Introduction

When you apply for or use Tymit’s Credit Card products and related credit card services (the "Services")

two key parties process your personal information:

• Tymit Limited ("Tymit", “we”, “our”, “us”); and

• Transact Payments Limited (“TPL”)

This privacy notice explains how Tymit processes your personal information as part of the Services.

Further information about how TPL process your personal information is available separately.

Who are Tymit?

We are the regulated lender for the Tymit Credit Card Programme (the "Account") and we are regulated

by the Financial Conduct Authority. This means that we are authorised to make, or take assignments

of, regulated consumer lending as part of our regulated business activities. In other words, we are the

party that provides you with credit. We also provide the Tymit Credit Card credit account mobile

application (the "App").

The Account and the App form part of the Services and when we provide them, we are the controller of

your personal information. Tymit are registered with the Information Commissioner's Office, registration

number: ZA522915.

Tymit is committed to safeguarding the privacy of your information and in this privacy notice we set out

when and why we collect your personal information, how we use it, the conditions under which we may

disclose it to others and how we keep it secure.

What about the other key party, TPL?

TPL is the issuer and service provider for your payment card and is the controller for the personal

information which you provide to us in relation to the card only. You can find out more about TPL's

responsibilities by reading TPL's privacy notice available [Privacy Policy | Transact Payments

(transactpaymentsltd.com)] or by contacting TPL using the contact details they have provided.

What personal information does Tymit collect?

In providing the Account and the App, Tymit may collect the following types of personal information:

Identity Data

Identity data, including first name, maiden name, last name, username

or similar identifier, marital status, title, date of birth, gender and visual

(including photographic) identification.

Contact Data

Contact data, including billing address, delivery address, email address

and telephone numbers.

Financial Data

Financial data, including Open Banking data, bank account and

payment card details, salary and other income details and credit

referencing information.

Transaction Data

Transaction data, including details about payments and other details of

products and services provided under your agreement with us.

Technical Data

Technical data, including internet protocol (IP) address, login data,

browser type and version, time zone setting and location, browser plug-

in types and versions, operating system and platform, and other

technology on the devices used in relation to the Account.

- 2 -

4131-4032-8235.3

Profile Data

Profile data, including usernames and passwords, accountholder

interests, preferences, feedback and survey responses.

Usage Data

Usage data, including information about how accountholders use the

Services.

Marketing and

Communications Data,

Marketing and communications data, including accountholder

preferences in receiving marketing from the parties and third parties

and their communication preferences.

How your personal information is collected

We collect and receive personal information using different methods:

Direct Interaction

You may give us your Identity, Contact Data and Financial Data by

filling in forms (electronically or otherwise), or by corresponding with

us by post, phone, email or otherwise. This includes personal

information you provide when you:

• apply for the Account.

• upload content/documents onto our App;

• subscribe to our services or publications;

• register for our newsletter;

• request marketing to be sent to you; or

• give us feedback or contact us.

Personal information we

collect using cookies and

other similar technologies

When you access and use our App, we will collect certain Technical

Data. We may in part collect this personal information by using cookies

and other similar technologies.

Personal information

received from third parties

and publicly available

sources

We will receive personal information about you from various third

parties (including public sources) as set out below:

• Technical Data from parties such as analytics providers such as

Google and Amazon Web Services which may be based outside

the UK and/or the EU.

• Financial Data, Identity Data and Contact Data from credit

reporting agencies such as Experian PLC.

• Identity and Contact Data from publicly available sources such as

Companies House and the Electoral Register based inside the UK.

• Financial Data and Identity Data from Cifas, a not-for-profit fraud

prevention membership organisation managing the largest

database of instances of fraudulent conduct in the UK.

• Financial Data and Identity Data from Regulatory Data Corp Inc

which provides services relating to anti-money laundering, KYC

(know your customer) compliance and identification of politically

exposed persons.

- 3 -

4131-4032-8235.3

How Tymit users your personal information

We use your personal information for the purposes set out in this section. If we wish to make any

changes to these purposes, or if we wish to use your personal information for any purpose that is not

listed in this section, we will notify you using the contact details we hold for you.

Assessing your eligibility

for the Account

We will use your Identity Data, Contact Data, Financial Data,

Transaction Data, Profile Data and Usage Data to make assessments

of your eligibility for the Account as well as identify you and verify the

personal information you have provided, including any other

applications you make in the wider Tymit product range, to prevent

fraud and identity theft.

Our legal basis for processing

It is necessary for us to use your personal information to perform our

obligations in accordance with the contracts that you are entering into

or have entered into with us, or it is in our legitimate interest to use

personal information in such a way to ensure that we provide the

Account and to take the steps outlined above.

Performing credit and

identity checks and

undertaking debt tracing

and recovery

To process your application for an Account, we will perform credit and

identity checks on you with one or more credit reference agencies

(“CRAs”). We may also make periodic searches at CRAs to manage

your account with us. To do this, we will supply your Identity Data,

Contact Data, Financial Data and Transaction Data to CRAs, and they

will give us certain personal information about you. This will include

information from your credit application and about your financial

situation and financial history. CRAs will supply to us both public

(including the electoral register) and shared credit, financial situation

and financial history information and fraud prevention information.

This information will be used for:

• Assessing your creditworthiness and whether you can afford to

take the product.

• Verifying the accuracy of the data you have provided to us.

• Preventing criminal activity, fraud and money laundering.

• Managing your account(s).

• Tracing and recovering debts.

• Ensuring any offers provided to you are appropriate to your

circumstances.

We will also inform the CRAs about your settled accounts. If you

borrow and do not repay in full and on time, CRAs will record the

outstanding debt. This information may be supplied to other

organisations by CRAs.

When CRAs receive a search from us they will place a search footprint

on your credit file that may be seen by other lenders.

Our legal basis for processing

It is necessary for us to use your personal information to perform our

obligations in accordance with the contracts that you are entering into

or have entered into with us, or it is in our legitimate interest to use

- 4 -

4131-4032-8235.3

personal information in such a way to ensure that we provide the

Account and to take the steps outlined above.

Providing the Services

We will use your Identity Data, Contact Data, Financial Data,

Transaction Data, Profile Data, Technical Data and Usage Data: for

the purpose of supplying the Account and App as part of the Services.

This will include making responsible lending decisions in accordance

with our principles and regulatory obligations, processing payments

and managing transactions, providing you with access to our App.

Our legal basis for processing

It is necessary for us to use your personal information to perform our

obligations in accordance with any contract that we may have with you,

or it is in our legitimate interest or a third party’s legitimate interest to

use personal information in such a way to ensure that we provide the

Services in an effective, safe and efficient way.

Complying with our legal

obligations or in

connection with the

administration of our

business

We will use your Identity Data, Contact Data, Financial Data and

Transaction Data: (i) to comply with our legal obligations, including our

Financial Crime and Anti-Money Laundering obligations; (ii) to enforce

our legal rights; (iii) to protect the rights of third parties; and (iv) in

connection with a business transition such as a merger,

reorganisation, acquisition by another company, or sale of any of our

assets.

Our legal basis for processing

Where we use your personal information in connection with a business

transition, to enforce our legal rights or to protect the rights of third

parties, it is in our legitimate interest to do so. For all other purposes

described in this section, we have a legal obligation to use your

personal information to comply with any legal obligations imposed

upon us, such as a court order.

We will not process any special (or sensitive) categories of personal

information or personal information relating to criminal convictions or

offences except where we are able to do so under applicable

legislation or with your explicit consent.

Direct marketing

We will use your Identity Data, Contact Data and Marketing and

Communications Data to send you marketing communications by

email or text.

Our legal basis for processing

We will only send marketing communications to you by email or text

where you have consented to receive such content, or where we have

another lawful right to send marketing. For example, in certain

circumstances we may rely on our legitimate interest to send marketing

by email to consumers who have purchased services from us and we

are able to rely on the soft opt-in.

Personal information we

collect using cookies and

other similar technologies

When you access and use our App, we will collect certain Technical

Data. We may in part collect this personal information by using cookies

and other similar technologies. Please see our cookie policy for further

information, a link to which is available [Our Cookie Policy | Tymit].

Our legal basis for processing

- 5 -

4131-4032-8235.3

Where your data is collected through the use of non-essential cookies,

we rely on consent to collect your personal information and for the

onward processing purpose.

In certain circumstances, we may rely on another lawful basis when

we use your personal information collected via the use of cookies, for

example if a cookie is strictly necessary for the performance of the App.

If you fail to provide your personal information

Where we are required by law to collect your personal information, or we need to collect your personal

information under the terms of a contract we have with you, and you fail to provide that personal

information when we request it, we may not be able to perform the contract we have or are trying to

enter into with you. This may apply where you do not provide the personal information, we need in order

to provide our part of the Services or to process an application to register an Account. In these

circumstances, we may have to cancel your application or the provision of the relevant Services to you,

in which case we will notify you.

Sharing personal information

We only share personal information with others when we are legally permitted to do so. When we share

personal information with others, we put contractual arrangements or other appropriate security

mechanisms in place to protect the personal information shared and to comply with our legal obligations.

We set out below the relevant third parties with whom data is shared This list is non-exhaustive and

there may be circumstances where we need to share personal information with other third parties.

TPL

(Transact Payments Limited)

We will share your personal information with TPL as the issuer of the

Tymit Credit Card and provider of the Card Account.

CRAs

(Credit Reference Agencies)

To process your application, we will share your personal information

with CRAs to perform credit and identity checks.

The CRAs we use are:

• TransUnion: https://www.transunion.co.uk/crain

• Experian: https://www.experian.co.uk/crain

• Equifax: https://www.equifax.co.uk/crain

Third-party suppliers who

provide applications/

functionality, data

processing or IT services

We share personal information with third parties who support us in

providing our App and help provide, run and manage our internal IT

systems.

Advertising partners

We share personal information with third party advertising partners.

This data is used to provide you with, and measure the effectiveness

of, online personalised advertising and for other advertising related

activities.

Auditors, lawyers,

accountants and other

professional advisers

We share personal information with professional services firms who

advise and assist us in relation to the lawful and effective management

of our organisation and in relation to any disputes we may become

involved in.

Law enforcement or other

government and regulatory

agencies and bodies

We share personal information with law enforcement or other

government and regulatory agencies or other third parties as required

by, and in accordance with, applicable law or regulation.

- 6 -

4131-4032-8235.3

Another corporate entity in

connection with a business

transition

If we are involved in a business transition such as a merger,

reorganisation, acquisition by another company, or sale of any of our

assets, we may share or transfer personal information to a third party.

Any new owner of our business may continue to use your personal

information in the same way(s) that we have used it, as specified in

this privacy notice.

Other third parties

Occasionally, we may receive requests from third parties with authority

to obtain disclosure of personal information, such as to check that we

are complying with applicable law and regulation, to investigate an

alleged crime, or to establish, exercise or defend legal rights. We will

only fulfil requests for personal information where we are permitted to

do so in accordance with applicable law or regulation.

Transfers outside the UK and the European Economic Area (“EEA”)

Your personal information may be used, stored and/or accessed outside the UK and the EEA to our

suppliers. Further details on to whom your personal information may be disclosed are set out above.

When we provide any personal information about you to any non-UK or EEA parties, we take

appropriate steps to protect your privacy and implement reasonable security measures to protect your

personal information. These measures may include the following:

• Ensuring that there is an adequacy decision by the UK Government in the case of transfers out of

the UK, which means that the recipient country is deemed to provide adequate protection for such

personal information; or

• Ensuring that appropriate safeguards are in place, e.g. by entering into regulation mandated

contracts with our data processors that require them to treat personal information in a manner that

is consistent with this privacy notice.

How long we keep your personal information

In respect of personal information that we process in connection with our supply of the Services, we

may retain your personal information for the following periods:

Product/Process Name

Retention Period

Accounts

6 years from the termination of the contract to which customer is a

party.

All declined applications

6 years from date at which the customer is informed of our decision

to decline their application. We will cease contact 1 year after

customer is informed of our decision unless we gain the customer’s

explicit consent to continue processing their data.

All cancelled applications

6 years from date at which the customer decides to withdraw their

application, or the date of expiry of an incomplete application. We

will cease contact 1 year unless we gain the customer’s explicit

consent to continue processing their data.

If any personal information is only useful for a short period (e.g. for a specific activity, promotion or

marketing campaign), we will not retain it for longer than the period for which it is used by us.

If you have opted out of receiving marketing communications from us, we will need to retain certain

personal information on a suppression list for a reasonably proportionate period so that we know not to

send you further marketing communications in the future. However, we will not use this personal

- 7 -

4131-4032-8235.3

information to send you further marketing unless you subsequently opt back in to receive such

marketing.

Confidentiality and security of your personal information

We are committed to keeping the personal information you provide to us secure and we have

implemented information security policies, rules and technical measures to protect the personal

information under our control from unauthorised access, improper use or disclosure, unauthorised

modification and unlawful destruction or accidental loss.

Your rights as a data subject

You have certain rights in relation to the personal information we hold about you and these are set out

below. If you would like to exercise any of these rights, please contact us by emailing

support@tymit.com.

Your right of access

You have the right to ask us for copies of your personal information.

There are some exemptions, which means you may not always receive

all the information we process.

Your right to rectification

You have the right to ask us to rectify information you think is

inaccurate. You also have the right to ask us to complete information

you think is incomplete.

Your right to erasure

You have the right to ask us to erase your personal information in

certain circumstances.

Your right to restrict

processing

You can ask us to “block” or suppress the processing of your personal

information in certain circumstances such as where you contest the

accuracy of that personal information or you object to us processing it

for a particular purpose. This may not mean that we will stop storing

your personal information but, where we do keep it, we will tell you if

we remove any restriction that we have placed on your personal

information to stop us processing it further.

Your right to data

portability

This only applies to information you have given us. You have the right

to ask that we transfer the information you gave us from one

organisation to another or give it to you.

Your right to object

You have the right to object to processing if we are able to process

your information because the process forms part of our public tasks or

is in our legitimate interests.

Your rights in relation to

automated decision-

making and profiling

You have the right not to be subject to a decision when it is based on

automatic processing, including profiling, if it produces a legal effect or

similarly significantly affects you, unless such profiling is necessary for

the entering into, or the performance of, a contract between you and

us.

Your right to withdraw

consent

If we rely on your consent (or explicit consent) as our legal basis for

processing your personal information, you have the right to withdraw

that consent at any time. You can exercise your right of withdrawal by

contacting us using our contact details in section 2 (How to contact us)

above or by using any other opt-out mechanism we may provide, such

as an unsubscribe link in an email.

Your right to lodge a

complaint with the

supervisory authority

If you have a concern about any aspect of our privacy practices,

including the way we have handled your personal information, please

- 8 -

4131-4032-8235.3

To report any issues or concerns to the UK regulatory authority, the

Information Commissioner’s Office (“ICO”). Contact details for the ICO

can be found on its website at https://ico.org.uk.

Changes to this privacy notice

Any material changes we make to our privacy notice in the future will be posted on this page and, if

appropriate, sent to you by email.

How to contact us

If you have any questions about our privacy notice or the personal information which we hold about you

or, please send an email to our Data Protection Team support@tymit.com.