GLOSSARY

In this Policy, except where the context otherwise demands, the following words and expressions shall have the following meaning:

• Availability
  The concept of ensuring that authorized subjects are granted timely and uninterrupted access to data, information, assets or resources.
• Confidentiality
  The concept of ensuring the secrecy of data, information, assets or resources to prevent or minimize unauthorized access.
• Consent
  The Consent given by a Data Subject to authorize third parties to process Personal Data, provided such Consent is specific, informed, and unambiguous.
• Customer
  Any Natural Person or Sole Proprietor who obtains or may prospectively obtain Financial Services and/or Products.
• Data Classification
  Classification or assignment of data into appropriate security levels based on sensitivity.
• Data Owner
  An individual, government entity, or private organization that owns certain data and has authority over its processing, amendment, copying, or storage.
• Data Breach
  Unauthorized or illegal access, copying, sharing, processing, or disclosure of Personal Data.
• Data Processing
  Any operation performed on Personal Data including collection, storage, recording, organization, adaptation, alteration, retrieval, sharing, disclosure, erasure, or destruction.
• Data Subject
  The natural person to whom the Personal Data relates.
• Encryption
  The process of converting readable data into unreadable text during storage or transmission.
• Employee
  Any Director, Officer, Agent, Contractor, Temporary Employee, Intern, or other individual working for Casabot.
• Integrity
  Ensuring reliability and correctness of data by preventing unauthorized alteration.
• Personal Data
  Any data relating to an identified or identifiable natural person, including sensitive and biometric data.
• Privacy Impact Assessment
  An analysis of how personally identifiable information is collected, used, shared, and maintained.
• Privacy Notice
  A notification informing Customers about personal information handling practices.
• Pseudonymization
  Processing Personal Data in a way that prevents attribution to a Data Subject without additional safeguarded information.
• Senior Management
  The executive management responsible for Casabot’s day-to-day operations.
• Third Party
  Any external individual or organization performing activities on behalf of Casabot.

TABLE OF ABBREVIATION / GLOSSARY

• Board — Board of Directors
• DPIA — Data Protection Impact Assessment
• PII — Personally Identifiable Information
• Policy — Data Privacy and Protection Policy
• RoPA — Record of Processing Activities
• UAE — United Arab Emirates

APPLICABLE LAWS & REGULATIONS

• EU General Data Protection Regulation (EU) 2016/679 (“GDPR”)
  • Issuer: EU
  • Timeline: 2016
• UAE Federal Decree Law No. 45 of 2021 on the Protection of Personal Data (“UAE PDPL”)
  • Issuer: Federal Decree
  • Timeline: 2021
• ADGM Data Protection Regulations
  • Issuer: ADGM
  • Timeline: 2021

1. Introduction

1. Background

Data privacy and protection are crucial to ensuring the security and integrity of an organization’s information assets and is an increasingly important consideration given the laws and regulations being implemented regarding data privacy concerns. To ensure compliance to all applicable data privacy laws and regulations, it is vital for Casabot FZCO DMCC (hereinafter “Casabot””) to ensure a robust data privacy and protection program is established and implemented within its organization to handle all data privacy-related subjects.

2. Objective

The objective of this Policy is to establish a robust data privacy and protection program to ensure protection of personally identifiable information and Casabot’s information that is collected, processed and stored as part of business and operational requirements of Casabot.

3. Scope

1. The scope of this Policy is applicable to Casabot’s products/services and its direct and indirect wholly owned subsidiaries, as well as suppliers including but not limited to contractors, sub-contractors, auditors, consultants, and Customers who have access to Casabot’s information systems.

2. Unless specifically mentioned in the Policy, all the documents, departments, policies and procedures, Senior Management, and committees are referred to in Casabot’s context, and this Policy applies to all of the data controlled or processed, either directly or indirectly, by Casabot.

4. Legal and Regulatory Framework

1. This Policy shall be read in conjunction with:

1. Casabot Privacy Policy

2. End User License Agreement (EULA)

2. In case of inconsistency, Casabot shall ensure that data protection obligations remain compliant with applicable law, regardless of contractual limitations.

3. Casabot processes Personal Data in accordance with applicable data protection laws, including:

3. EU General Data Protection Regulation (EU) 2016/679 (“GDPR”)

4. UAE Federal Decree Law No. 45 of 2021 on the Protection of Personal Data (“UAE PDPL”)

5. ADGM Data Protection Regulations 2021 (where applicable)

4. Casabot adopts the highest standard of compliance where multiple regimes apply.

5. Where obligations differ between jurisdictions, Casabot shall apply the stricter requirement unless otherwise legally required.

6. This Policy is designed to operationalize compliance across Casabot’s AI-powered IoT platform, including edge computing environments, cloud services, and cross-border deployments.

5. Policy Governance

1. The Policy shall be approved and issued by the Risk and Compliance Committee (“RCC”) under the authority delegated to it by the Board.

2. Any exceptions to this Policy shall be approved by the RCC, and all approvals for such exceptions will be discussed and ratified by the Board.

3. This Policy shall be reviewed at least once in 12 months (annually) or more frequently as per regulatory or business requirements, to ensure that it is kept up to date. All amendments shall be appropriately documented and approved prior to implementation.

4. The Data Protection Officer shall be the owner of this Policy and in turn shall be responsible for ensuring adherence to the principles stated within this Policy.

5. The implementation of the Policy shall be the responsibility of the Technology Department under the guidance of Risk and Compliance Departments.

6. When material changes to the Policy are made to reflect changes in any regulatory requirements or in Casabot’s business, all Employees should be notified of these changes.

7. Any breaches of this Policy are required to be notified to the Risk Department, Compliance Department and Technology Department.

6. Confidentiality

The contents of this Policy are confidential, and no information pertaining to it shall be shared, discussed, or revealed to anyone outside Casabot without explicit approval from the Chief Executive Officer (“CEO”).

7. Disclaimer

This Policy has been prepared for the purpose of a license application. The contents of this Policy may be updated to address the business and regulatory requirements as and when they become available, during the implementation phase of Casabot, prior to the launch of Casabot.

2. Principle Policy Statements for Data Privacy and Protection

1. Data Controller and Processor Roles

1. Casabot may act as:

1. Data Controller – where determining purposes and means of processing

2. Data Processor – where processing data on behalf of enterprise customers

2. Where Casabot acts as a processor:

1. Processing shall be governed by written agreements

2. Instructions from the controller shall be followed

3. Assistance shall be provided for data subject rights and compliance obligations

2. Data Protection Principles

1. Casabot shall ensure that all Personal Data is processed in accordance with the following principles:

1. Lawfulness, fairness, and transparency

2. Purpose limitation

3. Data minimization

4. Accuracy

5. Storage limitation

6. Integrity and confidentiality

7. Accountability

2. Casabot shall be responsible for demonstrating compliance with these principles at all times, including maintaining appropriate records, policies, and technical measures.

3. Privacy and Protection of Data

1. Data Privacy and Protection Regulations

1. Casabot shall maintain a register of the applicable laws, regulations, circulars, standards, and guidelines pertaining to data privacy and protection against which it must comply and ensure this is regularly updated based on changes to existing regulations as well as the introduction of new regulations that are applicable to Casabot’s operations.

2. Casabot shall establish a comprehensive data privacy and protection program, based on the applicable laws and regulations, to ensure the protection of its information and data assets.

3. Casabot shall periodically conduct compliance reviews against applicable legal, statutory and legislative requirements pertaining to data privacy and protection. The results of these reviews shall be distributed to Senior Management, the data steward and data custodians for continual improvement of the data privacy and protection program.

2. Data and Information Classification

1. Casabot shall establish an information and data classification scheme detailing the criteria for determining the sensitivity of a dataset, as well as the applicable controls and countermeasures for each sensitivity label.

2. Casabot’s data shall be classified in terms of its value, legal requirements and sensitivity to enable staff to apply the right handling mechanism, and the classification must be in line with Casabot’s agreed data classification scheme and aligned with global best practices. In the event data set contains elements of different data classification, Casabot shall ensure the most sensitive data element class is assigned to the data set.

3. The data owner is responsible to identify the appropriate data protection methods according to the data classification, retention, collection, and processing scheme.

4. The data owner is required to create and maintain a data catalogue which should include the metadata information and standards for data in a unified format, which should also be updated periodically.

5. The data owner must ensure that all classified data is transferred or removed from equipment and Casabot’s assets prior to disposal of the equipment hosting the data, as per the Asset Management Procedure.

6. The table below outlines Casabot’s data classification tiers.

Casabot Data Classification Tiers

• Tier 1: Confidential
  The highest level of classified data. Exposure to unauthorized personnel or the public could cause grave damage to Casabot. Strict confidentiality must be maintained throughout the information lifecycle to prevent unintended or accidental disclosure.
• Tier 2: Private
  Data intended to remain private within Casabot. Unauthorized disclosure could result in severe damage to Casabot.
• Tier 3: Sensitive
  Data specific to Casabot that may result in damage to Casabot if exposed or breached.
• Tier 4: Public
  Unclassified data intended for public visibility. Appropriate measures should still be taken to maintain the integrity of the data.

3. Data Management and Governance

1. Casabot shall establish and maintain a Data Management Procedure which addresses data sensitivity, data ownership, handling of data, data retention limits, and disposal requirements, based on the sensitivity and retention standards for Casabot. Data retention must include both minimum and maximum timelines as per the requirements stipulated by the applicable laws and regulations. This procedure shall be developed by the data steward as part of the data privacy and protection program.

2. Casabot shall ensure that the confidentiality, integrity and availability of data is protected by the data custodian through the implementation of all required administrative, physical and technical countermeasures to ensure data protection against loss, damage, disclosure, breach by any unauthorized third party. Such measures shall be appropriate to the nature and scope of Casabot’s activities, and the sensitivity of any personal information collected and stored. The following considerations shall be applied in implementing the appropriate level of protection for Personal Data:

1. Processing and encrypting Personal Data.

2. Implementation of data Pseudonymization.

3. Continuous confidentiality, integrity, availability and flexibility of processing systems and services.

4. Restoring availability and timely access to Personal Data in the event of force majeure.

5. Testing and evaluating the effectiveness of technical and regulatory measures to ensure processing security.

3. Casabot shall ensure that data is disposed of securely, as outlined in the data management procedure, to ensure the appropriate disposal process and method(s) are used relative to the sensitivity label assigned to the dataset.

4. A Data Protection Impact Assessment (“DPIA”) shall be conducted by the data steward on a periodic basis or whenever significant changes occur to the environment to identify potential sensitive information at risk and ascertain that appropriate technical measures are in place to protect such information. Significant changes can include the introduction of new technologies within Casabot’s environment that could result in a risk to Data Subjects, and a DPIA is mandatory in the following scenarios:

1. Where the processing involves systematic and extensive evaluation of Data Subjects’ Personal Data which are based on automated processing or has legal effects or might significantly affect the Data Subject.

2. Where large-scale processing of sensitive data is involved.

5. Casabot shall appoint a data protection officer with the adequate skills and knowledge to protect Casabot’s data.

6. The responsibilities of the data protection officer to:

1. Oversee the implementation and compliance of the data management control framework and any related requirements for data protection and privacy laws.

2. Ensure there is adequate monitoring and preventive controls in place to detect any unauthorized or accidental loss, misuse, modification, access, disclosure or destruction of Personal Data.

3. Ensure that verifications are regularly carried out on the legitimacy collection, access and the integrity of the Personal Data (and the electronic procedures) and address any issues identified.

4. Assess the controls are commensurate with the criticality and sensitivity of the relevant systems and Personal Data handled.

5. Ensure there are detailed monitoring of records and the actions taken are maintained for 5 years.

7. Casabot shall also ensure that a Record of Processing Activities (RoPA) is created and maintained regarding the data being processed by Casabot, and the RoPA must contain the following:

1. Details of the data owners and data protection officer.

2. A description of the categories of Personal Data Casabot processes.

3. The purposes(s) of the processing.

4. Information in relation to the persons authorized to access the personal information.

5. Retention period and limits of the processing.

6. The method of erasing or rectifying the information.

7. Any information related to cross border data transfers.

8. Any information related to the technical and Casabot measures used to secure and protect personal information.

4. IoT and Smart Device Data Processing

1. Casabot processes data generated by connected devices, including but not limited to:

1. Device telemetry

2. Environmental data (e.g. temperature, lighting, energy usage)

3. Automation triggers and behavioral patterns

2. Where possible, data is processed locally at the edge to reduce exposure and enhance privacy.

3. Casabot shall ensure:

1. Clear delineation between device data and Personal Data

2. Secure device authentication and communication protocols

3. Minimization of continuous data collection where not required

4. Transparency to users regarding device-level data processing

4. Special care shall be taken where device data may indirectly identify individuals.

5. AI and Automated Processing

1. Casabot utilizes artificial intelligence and machine learning systems to analyze behavioral patterns, device interactions, and environmental data in order to deliver automated decisions and predictive functionality.

1. Where such processing qualifies as automated decision-making:

2. Casabot shall ensure meaningful human oversight where decisions may significantly affect individuals

3. Data Subjects shall be informed of the existence of automated processing

4. Safeguards shall be implemented to prevent bias, inaccuracy, or unintended outcomes

5. Casabot shall not use Personal Data to train generalized AI models without explicit consent or contractual authorization.

6. High-Risk Processing Activities

1. Casabot acknowledges that its platform may involve high-risk processing due to:

1. • Continuous monitoring within private environments

2. • Behavioral profiling

3. • AI-driven automation

2. Casabot shall implement enhanced safeguards including:

1. • Periodic audits

2. • Independent risk assessments

3. • Ongoing monitoring of AI system performance and fairness

7. Data Handling, Security and Privacy Requirements including the Handling, Processing and Retention of Personal Data

1. Requirements for the Handling, Processing and Retention of Data

1. Casabot shall ensure that:

1. Personal Data shall be processed lawfully, fairly and in a transparent manner in relation to the Data Subject (lawfulness, fairness and transparency).

2. Personal Data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes is not considered to be incompatible with the initial purposes (purpose limitation).

3. Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimization).

4. Personal Data shall be accurate and, where necessary, kept up to date; steps shall be taken to ensure that any inaccurate Personal Data is erased or rectified without delay, and appropriate technology means are used that enable individuals to exercise their right to have direct access to review and edit their data (accuracy).

5. Personal Data shall be kept in a format that permits identification of the end date of retention so that Personal Data is kept no longer than is necessary. Personal Data may be stored for longer periods insofar as the Personal Data will be processed solely for archiving purposes to safeguard the rights and freedom of the Data Subject (storage limitation).

6. Personal Data shall be collected by obtaining Consent, either electronically or in writing, from the Data Subject for the purpose specified. Such Consent shall be clear, explicit, unambiguous and involve a clear affirmative action and should be separate from other terms and conditions and should not generally be a precondition of signing up to a service (Consent).

7. Personal Data shall be processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (integrity and confidentiality).

8. The Data Subject has the right to request Casabot for the categories of Personal Data processed, the purpose of the processing, whether Personal Data is shared inside or outside of the state, any automated decision making on his/her Personal Data, controls or standards relating to storage of Personal Data, actions for rectification, restriction or erasure of Personal Data, safeguards applied for cross-border data transfer, and actions to be taken in case of any breaches (right to access to information).

9. The Data Subject has the right to receive Personal Data in a structured and readable format where the processing of data is subject to the Data Subject’s Consent (right to request data portability).

10. The Data Subject should have the right to have Personal Data erased when no longer processed, no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a Data Subject has withdrawn Consent, Personal Data does not comply with legal and regulatory requirements (right to be forgotten).

11. A Data Subject who has already agreed to the collection, usage, processing or disclosure of his personal information may withdraw such Consent at any time, and Casabot shall provide an easy-to-use, practical and easily accessible way through which the person can withdraw his Consent or disable the way personal information is collected, used, processed or disclosed. Casabot shall delete the Customer’s personal information if:

1. The Customer has withdrawn his Consent for the processing or usage of personal information.

2. Personal Data is no longer required to provide the services requested by the Customer.

3. The Customer is no longer involved in the service for which Personal Data has been collected.

4. A contract has been performed or cannot be performed anymore.

5. The data is no longer up to date.

2. Casabot shall not do the following:

1. Collect, register or process any Personal Data in illegal methods or without the Consent of the Data Subject or his representative.

2. Use the Personal Data collected from Data Subjects for purposes other than those for which the data was collected.

3. Casabot shall provide a comprehensive and clear privacy note to its Customers which:

1. Informs Customers clearly and accurately of personal information they collect, use and store, and the circumstances in which they share such information with other entities.

2. Informs Customers of their right to Consent, withdraw approval, or cancel any use of Customers’ personal information.

3. Provides an option that allows the Customers not to receive an email, text message or phone call related to marketing materials if they do not wish to.

4. Provides Customers with a prior notice of any fundamental change in their privacy policies.

2. Cross Border Data Transfers

1. Where Personal Data is transferred outside the UAE or the European Economic Area:

1. Transfers shall only occur where an adequate level of protection is ensured

2. Casabot shall implement appropriate safeguards including:

3. Standard Contractual Clauses (SCCs)

4. Contractual data protection obligations

5. Encryption and access controls

6. Casabot shall conduct transfer risk assessments where required and maintain documentation of such assessments.

2. Data Subjects shall be informed of cross-border transfers and the safeguards applied.

3. Data Protection Impact Assessments (DPIA)

1. Casabot shall conduct a DPIA where processing is likely to result in high risk, including:

1. Large-scale processing of IoT or behavioral data

2. AI-driven profiling or automated decision-making

3. Monitoring of individuals within private environments (e.g. homes, hospitality settings)

2. DPIAs shall:

1. Assess risks to Data Subjects

2. Identify mitigation measures

3. Be reviewed and approved prior to deployment

4. Requirements on Data Handling by Third Parties/Vendors

1. Data security and privacy considerations shall be evaluated and implemented for protecting data shared with third-party vendors or contractors, and Casabot shall ensure, through contractual means, that such subsidiaries and other parties take all necessary steps and measures to protect the confidentiality and security of data and use information solely for the purpose of providing the required service. Therefore, a written agreement must be concluded between Casabot and the third-party vendor containing the following:

1. Scope.

2. Subject matter.

3. Duration.

4. Purpose.

5. Nature of processing.

6. Type of Personal Data.

7. Categories of Personal Data.

8. Suitable confidentiality obligations.

2. Casabot shall ensure that the third-party vendor:

1. Meets the highest standard of security, encryption and protection.

2. Is properly authorized to conduct the relevant processing activities in writing.

3. Is regularly monitored.

4. Has restricted access to the Personal Data they are permitted to process, only for the purpose in which they are permitted to process the Personal Data.

5. Does not transfer Personal Data provided by Casabot to any third party without authorisation from Casabot.

6. Is subject to reporting obligations to Casabot for any significant security breaches in respect of data provided by Casabot (including any Personal Data).

7. Applies encryption to all Personal Data belonging to Casabot and takes measures to securely transfer the Personal Data.

8. Maintain a specific record of processing activity for the data provided by Casabot.

9. Is regularly audited and assessed on their compliance with their data processing obligations.

10. On termination or expiry of an agreement with a third-party vendor, all data (including any Personal Data) provided to it by Casabot is retrieved or destroyed, at Casabot’s election.

3. Casabot shall ensure that Consent has been obtained from the Data Subject before disclosing his Personal Data to any subsidiary or third party for any marketing purposes that are not directly related to the provision of communications and information technology services requested by the person concerned.

4. Casabot shall ensure that the location of the third party/vendor is specified, including information on how to contact them about their practices and processing Personal Data.

5. Upon prior written notice, the third-party/vendor organization shall accommodate requests from Casabot to conduct audits of the organization or any third party who processes information on its behalf and to review the security measures in place to maintain the protection of information. In case Casabot is not reasonably satisfied with such measures, the organization and its affiliates shall strengthen security measures and processes as Casabot instructs and deems appropriate.

5. Guidelines for the Handling of Data Breaches

1. In the event of a Data Breach, Casabot shall:

1. Assess the nature, scope, and impact of the breach without undue delay

2. Notify the competent authority within 72 hours where required under GDPR

3. Notify affected Data Subjects where there is a high risk to their rights

2. Casabot shall maintain an internal incident response procedure including:

1. Breach detection and escalation protocols

2. Documentation of all breaches

3. Remediation and mitigation actions

3. Casabot shall ensure that the applicable regulations are reviewed regarding the notification timelines and requirements for Data Breaches, and the Crisis Management Procedure as well as the Incident Management Procedure shall address the steps to be followed by Casabot’s spokesperson in the event of a Data Breach. The notification shall include:

1. The nature of the breach, the extent to which data has been leaked and the number of breached records, the person(s) affected, and the security levels that have been breached.

2. The name and mechanism of communication with the data protection officer.

3. Possible consequences of the breach, and the measures taken or proposed by the organization to address the breach.

4. Documentation of the Data Breach.

5. Notifying the Data Subject in the event of breach to his Personal Data.

6. Data Protection by Design and by Default

1. Casabot shall implement appropriate technical and organizational measures designed to:

1. Integrate data protection into system architecture

2. Minimize data collection by default

3. Ensure only necessary data is processed

2. This includes:

1. Edge processing architecture

2. Pseudonymization and encryption

3. Access control and role-based permissions

3. Training and Awareness

1. Casabot shall ensure that any person engaged in the collection, handling or use of personal information and data is fully informed and trained on Casabot’s practices of protecting security and privacy, whether such person works for Casabot, or any third party contracted by Casabot for the purpose of collecting or processing the Personal Data of customers.

2. Casabot shall conduct training and awareness sessions, as per the Training and Awareness Procedure, to guide all Employees on Casabot’s data privacy and protection efforts and ensure they are aware of their responsibilities pertaining to maintaining the confidentiality, integrity and availability of Casabot’s data and information assets.

3. Casabot shall ensure that post training surveys are distributed to the session attendees, to gather feedback for continual improvement of the data privacy program.

4. Casabot shall ensure that an annual training plan is developed to address the training requirements for the data privacy and protection program, and the following requirements shall be considered when planning the training sessions:

1. Identification of the target audience.

2. Existing level(s) of competency of target audience.

3. Identification of a target level of competency as a result of the training.

4. Ensuring that the effectiveness of the training is evaluated.

4. Compliance

1. Casabot Employees shall ensure adherence to this Policy, and shall they feel conflicted in any way, they may raise their concern to the Technology Department, Risk Department, and Compliance Department.

2. Any Employee found to have violated this Policy will be subject to disciplinary action, up to and including termination of employment. Disciplinary action should be consistent with the severity of the incident, as determined by an investigation.

‍