PRIVACY POLICY

INFORMATION PURSUANT TO REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Last update date: July 14, 2023

This information on the processing of personal data ("Information”) contains information relating to the processing of your personal data by Hercle S.r.l. pursuant to and by effect of art. 13 of EU Regulation no. 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "GDPR”).

Hercle S.r.l (hereinafter also "Hercules" O "Data Controller” or even just the “Holder”) respects your privacy and wants to help you understand how we collect, process and share your data.

We inform you that some activities could be carried out through suppliers, specifically appointed as Data Processors, even those residing outside the European Union.

Definitions used in this Notice

“Channels Allowed": the communication channels that the interested party can use to use the Services in accordance with the Terms of Use.

“Navigation data": the computer systems and software procedures used to operate this website acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols. This is information that is not collected to be associated with identified interested parties, but which by their very nature - through processing and association with data held by third parties - allows users to be identified. This category of data includes IP addresses or domain names of the computers used by users who connect to the site, addresses in URI notation (Uniform Resource Identifier) of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and the IT environment. These data are used for the sole purpose of obtaining anonymous statistical information on the use of the site and to check its correct functioning and are canceled immediately after processing;

“Navigation data aimed at profiling” data provided directly by the user through the use of the services or obtained and analyzed with the consent of the user provided during the use of the Platform.

“Personal data”: any identified or identifiable information, even indirectly, relating to an individual, including a personal identification number, general identification data or personal data which permits direct identification (for example name, VAT number, address, e- email, telephone number, etc.) - see art. 4, par. 1, no. 1 GDPR.

“Interested” means an identified or identifiable natural person. In this Information, the term will indicate your person;

“Log the system": for needs related to operation and maintenance, this platform and any third-party services used by it can collect system logs, i.e. files that record interactions and which may also contain personal data, such as the IP address;

“ Platform ": indicates, collectively, the graphical interface available at the following address https://auth.hercle.financial/sign-in and the relativesoftware as well as any other application with a user interface made available to the Customer by Hercle for the use of the Services.

“Profiling”: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning performance at work, economic situation, health, preferences personalities, interests, reliability, conduct, location or movements of that natural person;

“Responsible for the treatment”: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

“Services”: indicate the services offered by Hercle regulated by the relative Terms of Use.

“Site” indicates the website available at the address: https://www.hercle.financial/.

“Terms of Use" indicates the terms of use that regulate the use of the Services, the Platform and the APIs available at the following address https://hercle.financial/terms-and-conditions.

“Data controller”: the natural or legal person, public authority, service or other body which, individually or together with others, determines the purposes and means of processing personal data.

“Treatment”: any operation or set of operations performed on personal data or on sets of personal data, with or without the aid of automated means, such as the collection, registration, organization, structuring, storage, adaptation or the modification, extraction, consultation, use, disclosure by transmission, dissemination or otherwise making available, comparison or interconnection, limitation, cancellation or destruction;

1. CATEGORIES OF PERSONAL DATA PROCESSED

As a rule, the user can use the Site without having to provide any Personal Data. If the user accesses the Site simply for informational purposes (and does not open aaccounton the Site and does not use the services offered by Hercle), we will not collect any Personal Data, except for data transmitted by the user's browser or terminal and for the user's IP address in order to allow him to access the Site. In this case, the data transmitted to Hercle will be, by way of example but not limited to: (i) the date and place of the request; (ii) the type and version of the browser used by the user; (iii) your operating system; (iv) page views and navigation paths on the Site; as well as (v) information on the timing, frequency and configuration of the use of the Site by the user, and in general all the usage data offered by Hercle's automatic tracking system, through which, however, the information they are collected anonymously to report website usage trends without identifying individual visitors.

In the case of use of the Platform, the APIs and the Services, the Data Controller will collect and process Personal Data. These are collected within specific sections of the Platform or through other technological means made available by Hercle.

Hercle, as Data Controller, collects and processes personal identification data, such as, for example, name, surname, company name, address and e-mail address, communicated by the user at the time of opening an account and registering on the Platform. The Personal Data that will be requested will also be those necessary for identification and may concern, for example: (i) name and surname; (ii) date of birth; (iii) place of birth; (iv) place of residence; (v) domicile, if different from residence; (vi) tax code, if issued; (vii) details and images of the identification document and date of issue and expiry, etc.

Hercle does not collect data relating to minors under the age of 18, nor does it process sensitive data that could reveal racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade union nature, as well as the state of health.

2. VERIFICATION AND IDENTIFICATION

When the interested party has registered on the Platform or uses the Services by accepting the Terms of Use governing the Services, Hercle is required to fulfill its obligations as a provider of Services concerning the use of virtual currency, as a result of Legislative Decree 21 November 2007, n. 231, as reformed by Legislative Decree 25 May 2017, n. 90, concerning anti-money laundering and the fight against the financing of terrorism.

Hercle is therefore required to verify the identity of the interested party using the Services through a valid identity document, to keep the specific information obtained from this document, to verify its authenticity together with all additional information, including documents, which must be requested and which, during the course of the relationship, must be updated. To this end, the User must provide all the additional information that will be requested through electronic forms which also provide the possibility of uploading documents, or through questionnaires that will be submitted and that Hercle will ask you to complete off-line. Data relating to the activity of the interested party through the Platform, the APIs and other Permitted Channels as defined in the Terms of Use available at the following link: https://hercle.financial/supported-notification-channels they may be stored and processed by the Data Controller for the purposes imposed by the applicable legislation or by the Terms of Use.

In order to fulfill all anti-money laundering obligations, Hercle, as Data Controller, makes use of the services of third parties, duly authorized to Process Personal Data through specific contracts with Hercle, or specific attorneys for the execution of the Processing; third parties are required, under the GDPR, to comply with the Hercle Privacy Policy and instructions on retention and non-disclosure, nor to allow the improper use of Personal Data outside the prescribed purposes for collection.

Hercle may also make reports to third parties including, for example, the competent Authorities, ipartner banks and non-banks with which Hercle collaborates. These reports may involve the transfer of Personal Data of the interested party.

A complete and up-to-date list of these entities and the type of processing requested by Hercle is at your disposal; in this regard, he will have to make a formal request to Hercle.

3. LEGAL BASIS AND PURPOSE OF THE TREATMENT

The Data Controller will process your Personal Data for the achievement of certain purposes and only in the presence of a specific legal basis provided for by the applicable legislation on privacy and protection of personal data.

Your Personal Data may be processed, pursuant to art. 6 letters a), b), c) and f) GDPR, for the following purposes:

• the interested party has given his consent to the processing of his personal data for one or more specific purposes;
• the Processing is necessary for the performance of a contract to which the Data Subject is a party or to take steps at the request of the Data Subject before entering into a contract;
• the Processing is necessary to fulfill a legal obligation to which the Data Controller is subject;
• the Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by third parties.

The following table lists the purposes for which your Personal Data are processed by the Data Controller and the legal basis on which the Processing is based

4. NATURE OF THE PROVISION OF DATA

The provision of your Personal Data is necessary in specific cases and your consent is therefore mandatory. Your refusal could make it impossible for the Data Controller to implement the purpose for which the Personal Data is collected.

In the absence of the provision of Personal Data by the interested party, Hercle will not be able to guarantee the provision of the Services, nor will it be able to fulfill its contractual obligations towards customers, collaborators, suppliers,partner commercial and, in general, of all those with whom Hercle enters into relations. In such cases, we also inform you that the provision, even partial or inaccurate, of Personal Data may result in the impossibility of providing the Services and, in any case, preclude Hercle from fulfilling its pre-contractual, contractual and tax obligations.

If consent to the Processing is requested from the interested party and he revokes the consent to the provision of Personal Data already given, it will in any case remain mandatory and an essential condition for the pursuit of all the purposes indicated in the previous paragraph 3. Failure to provide Personal Data from part of the interested party, given the impossibility for Hercle to fulfill its contractual obligations, entails the absence of responsibility on the part of Hercle itself with the consequent overcoming of any previous relationship and/or the impossibility of continuing the same.

The provision of data for marketing and profiling purposes is optional.

The interested party may therefore decide not to provide any Personal Data or to subsequently deny the possibility of processing the data already provided. In this case, the interested party will not be able to receive newsletters, commercial communications and advertising material relating to the services offered by the Data Controller, but will be able to continue to use the company services and contractual services, without prejudice to the foregoing.

5. METHOD OF TREATMENT

The processing of personal data is carried out in the manner described in art. 4, no. 2 and in compliance with art. 32 of the GDPR through automatic or manual methods. In particular, the Processing is carried out through: collection, registration, organization, conservation, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of the Data.

Personal Data is subject to both paper and electronic and/or automated processing with methods and tools that comply with the security measures pursuant to art. 32 of the GDPR, by persons specifically appointed by Hercle, or by persons in charge of processing personal data under the direct authority of Hercle as provided for by art. 4, no. 10, of the GDPR. As anticipated, subjects external to Hercle may also be delegated to the Processing, with specific contracts, appointed as Data Processors and who will act on documented instructions from Hercle itself, in its capacity as Data Controller.

6. DATA RETENTION PERIOD

Hercle, in compliance with the principles of lawfulness, purpose limitation and data minimisation, pursuant to art. 5 of the GDPR, keeps your data in servers compliant with the GDPR for the duration of your consent, the contract or another retention period required by law (e.g. accounting obligations).

The Data Controller or Data Processors will process and store the Personal Data for the minimum time necessary to fulfill the purposes referred to in paragraph 3, and only for the time necessary to carry out the conservation to the extent required by the GDPR. Both the treatment and the storage, however, are established for no more than 10 years from the termination of the contractual relationship for the treatments that took place for the purposes of providing the services, and for no more than 12 months from the collection of data for marketing purposes. Once these retention periods have expired, the Personal Data will be blocked, destroyed or made anonymous in accordance with the legal requirements.

7. PRIVACY E NEWSLETTER

If you have consented to receive commercial communications, your data may be processed for sending promotional communications or newsletters via e-mail or in any case other information content relating to the website.

The consent of the interested party, expressed in accordance with this information, constitutes a legal basis. The interested party is not obliged to provide Personal Data; in case of failure to communicate such data, however, it will not be possible to carry out any marketing activity. The Personal Data thus processed are kept until the consent is revoked by the interested party.

8. NON-AUTOMATED DECISION-MAKING AND PROFILING

If the user gives his consent to the processing of personal data for the purpose of using personalized services through profiling, these may be processed in a non-automated way in order to select which communications are more suitable for your profile or which could be of greater interest . The Processing carried out in this way has the expected consequences, by way of example, the sending of highly profiled commercial communications, the sending of invitations to events deemed of interest, etc.

In any case, the interested party has the right to obtain an explanation of the decision taken and to contest the decision itself.

9. RECIPIENTS OF THE DATA, RESPONSIBLE FOR THE TREATMENT

Pursuant to articles 28 and 29 of the GDPR, your Personal Data will not be disclosed, but may be communicated, where necessary for the provision of the service, to employees and collaborators of the Data Controller in Italy and/or abroad, or to other appointed subjects, if necessary , Data processors by the Data Controller for tasks of a technical or organizational nature.

Personal Data may be made accessible for the purposes referred to in paragraph 3:

1. to employees or collaborators of the Data Controller as data processors under the direct authority and directives of Hercle;

2. to Hercle's partner companies, in Italy and abroad, as Data Processors and/or system administrators pursuant to art. 28 of the GDPR who act as Data Processors on behalf of the Data Controller and who have offered sufficient guarantees to implement adequate technical and organizational measures so that the Processing entrusted to them satisfies the legal requirements;

3. to third-party companies or other subjects, such as, for example, credit institutions, payment institutions or other financial intermediaries, professional firms, consultants, insurance companies, which carry out activities on behalf of the Data Controller and act as independent Data Controllers with their own informationprivacy, available to the interested party.

Without the need for express consent (Article 6 letter b) and c) of the GDPR), the Data Controller may communicate the Personal Data of the Data Subject for the purposes referred to in paragraph 3 to Supervisory Bodies (such as UIF, Bank of Italy , OAM, etc.), Judicial Authorities, insurance companies for the provision of insurance services, as well as to those subjects to whom the communication is mandatory by law for the accomplishment of the aforementioned purposes. These subjects will process the Personal Data as independent Data Controllers and the Personal Data of the Data Subject will not be disclosed.

Personal Data may be processed by third parties which Hercle Società uses for the provision of the Services including, by way of example, identification procedures, verification of the authenticity of identity documents, consultation of databases or for the execution of the payment services made available to customers.

The updated list of Data Processors and persons in charge of processing is kept at the registered office of the Data Controller.

10. TRANSFER OF PERSONAL DATA

Personal Data is stored on server located within the European Union. In any case, it is understood that the Data Controller, should it become necessary, will have the right to move the servers also to countries outside the European Union.

In this case, the Data Controller ensures from now on that the transfer of data to non-EU countries will take place only after explicit release of a specific consent by each interested party, to countries that guarantee an adequate level of protection of Personal Data and only upon stipulation of contracts containing standard clauses approved by the European Commission through which the Processing of Personal Data is guaranteed in compliance with the principles and legal requirements established by the GDPR.

11. COOKIE

The web pages of the Site use cookies. In this way, Hercle can provide users of the Site with more user-friendly services that would not be possible without the setting of cookies. In fact, thanks to cookies, the information on the site can be optimized, because cookies make it possible to recognize the users of the site. The purpose of this recognition is to facilitate the use of the site by users. For example, the user is not obliged to enter access data each time he consults the Site, since these are already acquired by the Site through the cookies stored in the user's computer system.

The interested party can, at any time, prevent the setting of cookies when accessing the Site through the corresponding setting of the Internet browser used, and can, therefore, permanently deny the setting of cookies. Furthermore, cookies that have already been set can be deleted at any time via an Internet browser or other software program. This is possible in all popular Internet browsers. If the interested party deactivates the setting of cookies in the Internet browser used, it is possible that not all functions of the Website will be fully usable.

Further information on cookies is contained in the Cookie Policy, accessible from the Site in the appropriate section, which the interested party is invited to read.

12. RIGHTS OF INTERESTED PARTIES

Pursuant to the GDPR, you can exercise certain rights towards the Data Controller, such as that of obtaining from the Data Controller the cancellation of your data (right to be forgotten), the limitation, updating, rectification, portability, or right to object to the Processing of your Personal Data. More specifically, you may exercise the following rights (provided for by articles 15, 16, 17, 18, 19, 20, 21, 22 of the GDPR):

• to access their Personal Data (article 15), i.e. to confirm whether or not the Processing of their Personal Data is in progress and, in this case, to have access to the data;
• request the Data Controller to rectify (article 16) and/or integrate your Personal Data;
• ask the Data Controller to cancel the Personal Data (art. 17) without unjustified delay;
• ask the Data Controller to limit the Processing of your personal data (article 18), i.e. obtain confirmation that the Processing of Personal Data is limited to what is necessary for archiving purposes;
• request data portability (article 20), i.e. obtain your Personal Data in a structured, common and readable format;
•  oppose their Processing (article 21) or, at any time, to oppose, for any reason connected to your particular situation, the Processing of your data;
• with regard to automated decision-making processes (Article 22), the right not to be subjected to a decision based solely on Automated Data Processing without your explicit consent;
• to cancel their Personal Data (art. 17), i.e. the right to obtain, in the cases provided for by the Regulation, the cancellation of their Personal Data;
• propose a complaint to the Supervisory Authority (art. 77) for the protection of Personal Data (for more information, consult www.garanteprivacy.it, email:garante@gpdp.it).

Furthermore, at any time, you can revoke the consent on which the treatment carried out is based. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent given before the withdrawal.

Any request for information or clarification on your rights and their execution can be addressed to the Data Controller by sending:

1. a registered letter with acknowledgment of receipt addressed to

Hercle S.r.l.

Via Salasco 3

20136 - Milan (MI);

or

2. an email to: compliance@hercle.financial

or

3. a PEC to the address: hercle@pec.net.

13. OWNER OF THE TREATMENT AND DPO

Hercle S.r.l., with registered office in Via Salasco 3, 20136, Milan, in the person of the legal representativefor the time, is the Data Controller of the Personal Data collected in accordance with this Information.

The Data Controller does not fall within the cases envisaged by art. 37, par. 1 of the GDPR, for which a Data Protection Officer (DPO) has not been appointed.

14. CHANGES TO THE PRIVACY POLICY

This Policy may be subject to changes and it is advisable to read the updates that will be communicated from time to time.