GDPR Compliance Policy

This GDPR Compliance Policy explains how Hikari Nova ("we", "us", or "our") collects, uses, and protects your personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

The GDPR applies to all organizations operating within the European Union (EU) and European Economic Area (EEA), as well as organizations outside the EU that offer goods or services to individuals in the EU or monitor the behavior of EU data subjects.

We are committed to ensuring the protection of your personal data and respecting your privacy rights. This policy provides detailed information about how we process your personal data when you use our trading platform and services.

Hikari Nova is the data controller responsible for your personal data.

If you have any questions about this policy, including any requests to exercise your legal rights, please contact us at contact@hikarinova.com.

We may collect, use, store, and transfer different kinds of personal data about you, which we have grouped as follows:

• Identity Data: Includes first name, last name, username, title, date of birth, and government-issued identification documents.

• Contact Data: Includes billing address, residential address, email address, and telephone numbers.

• Financial Data: Includes bank account details, payment card details, and transaction history.

• Transaction Data: Includes details about payments to and from you and other details of products and services you have purchased from us, as well as trading activity and history.

• Technical Data: Includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our platform.

• Profile Data: Includes your username and password, your interests, preferences, feedback, and survey responses.

• Usage Data: Includes information about how you use our website, products, and services.

• Marketing and Communications Data: Includes your preferences in receiving marketing from us and our third parties and your communication preferences.

We also collect, use, and share Aggregated Data such as statistical or demographic data. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity.

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data), unless required for regulatory compliance purposes such as anti-money laundering (AML) and know your customer (KYC) requirements.

Under the GDPR, we must have a legal basis for processing your personal data. We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

• Contract: Where we need to perform the contract we are about to enter into or have entered into with you.

• Legitimate Interest: Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

• Legal Obligation: Where we need to comply with a legal or regulatory obligation.

• Consent: Where you have provided your consent to the processing of your personal data for one or more specific purposes.

We have outlined below the legal bases we rely on for each type of processing activity:

Purpose/ActivityType of DataLegal Basis for ProcessingTo register you as a new customerIdentity, ContactPerformance of a contract with youTo process and deliver your orders including managing payments and collecting money owed to usIdentity, Contact, Financial, Transaction, Marketing and CommunicationsPerformance of a contract with you; Necessary for our legitimate interests (to recover debts due to us)To manage our relationship with youIdentity, Contact, Profile, Marketing and CommunicationsPerformance of a contract with you; Necessary to comply with a legal obligation; Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)To administer and protect our business and this websiteIdentity, Contact, TechnicalNecessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud); Necessary to comply with a legal obligationTo deliver relevant website content and advertisements to youIdentity, Contact, Profile, Usage, Marketing and Communications, TechnicalNecessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy); Consent (for certain marketing activities).

Under the GDPR, you have the following rights in relation to your personal data:

• Right to Access: You have the right to request copies of your personal data. We may charge you a small fee for this service.

• Right to Rectification: You have the right to request that we correct any information you believe is inaccurate or complete information you believe is incomplete.

• Right to Erasure: You have the right to request that we erase your personal data, under certain conditions.

• Right to Restrict Processing: You have the right to request that we restrict the processing of your personal data, under certain conditions.

• Right to Object to Processing: You have the right to object to our processing of your personal data, under certain conditions.

• Right to Data Portability: You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.

• Right to Withdraw Consent: If we are relying on consent as the legal basis for processing your personal data, you have the right to withdraw your consent at any time.

If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us at contact@hikarinova.com.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider:

• The amount, nature, and sensitivity of the personal data
• The potential risk of harm from unauthorized use or disclosure of your personal data
• The purposes for which we process your personal data and whether we can achieve those purposes through other means
• The applicable legal requirements

For legal and regulatory compliance purposes, we typically keep basic information about our customers (including Contact, Identity, Financial, and Transaction Data) for a minimum of five years after they cease being customers.

In some circumstances, you can ask us to delete your data. See "Your Data Protection Rights" above for further information.

In some circumstances, we may anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way, altered, or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

Our security measures include:

• Encryption of personal data
• Ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
• Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
• Regular testing, assessing, and evaluating of the effectiveness of technical and organizational measures for ensuring the security of the processing

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

We may share your personal data within our group of companies and with external third parties, which may involve transferring your data outside the European Economic Area (EEA).

Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by implementing at least one of the following safeguards:

• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
• Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe (Standard Contractual Clauses).
• Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield, which requires them to provide similar protection to personal data shared between Europe and the US.

Please contact our Data Protection Officer if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

In the event of a data breach that affects your personal data, we will:

1. Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible, unless the breach is unlikely to result in a risk to your rights and freedoms.
2. Notify you without undue delay if the breach is likely to result in a high risk to your rights and freedoms.
3. Provide you with the following information about the breach:
   • A description of the nature of the breach
   • The name and contact details of our Data Protection Officer
   • A description of the likely consequences of the breach
   • A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
4. Document all breaches, including the facts relating to the breach, its effects, and the remedial action taken.

We maintain a data breach response plan that is regularly tested and updated to ensure we can respond effectively to any data breach.

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this GDPR Compliance Policy and our data protection practices in general.

The responsibilities of our DPO include:

• Informing and advising us and our employees about our obligations under the GDPR and other data protection laws

• Monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, advising on data protection impact assessments, training staff, and conducting internal audits

• Acting as the point of contact for data subjects and the supervisory authority

• Cooperating with the supervisory authority

If you have any questions about this policy or our data protection practices, please contact us at contact@hikarinova.com.

We may update this GDPR Compliance Policy from time to time to reflect changes in our practices, technology, legal requirements, and other factors. When we do, we will update the date at the top of this policy.

We encourage you to periodically review this policy to stay informed about our data protection practices. If we make material changes to this policy, we will notify you by email or through a notice on our website before the change becomes effective.

Your continued use of our services after any changes to this policy constitutes your acceptance of the updated policy.

If you have any questions, concerns, or requests regarding this GDPR Compliance Policy or our data protection practices, please contact us at contact@hikarinova.com.

You have the right to make a complaint at any time to the supervisory authority for data protection issues in your country. We would, however, appreciate the chance to deal with your concerns before you approach the supervisory authority, so please contact us in the first instance.