The categories of Personal Data about you are as follows:

• Personal Identifiers: your first and last names and initials, your gender; date of birth, marital status (tax identification number(s), citizenship.
• Protected Personal Identifiers: samples of your signature, copies of passports, driver license, state or national identity cards, or any other unique identification numbers that are considered sensitive personal information, such as US Social Security Numbers, India Aadhar Unique Identifiers and similar.
• Family and related person details: the names and contact details of family members and former dependents or beneficiaries of trusts, and details of your attorneys or persons representing you.
• Business contact details: your business or home address; telephone number; email address; and social media profile details.
• Employment History: industry; role; business activities; names of current and former employers; their work address; telephone number; work email address.
• Financial data: Account identifiers such as bank Identifiers codes account numbers; credit card numbers; cardholder or accountholder name and details; instruction records; transaction details; and counterparty (e.g. payee) details.
• Telecommunications and Electronic Communications information: Information obtained in telephone conversations (including VoIP), and video conferencing services (e.g., Microsoft Teams, Zoom, Cisco or others) including numbers, the service used, participants to the call, etc. We may record such calls (with your consent if required) and use anti-fraud tools (such as automated identification of biometric patterns) to detect threat actors, and for your protection. We may also use automated AI tools to prepare automatic summaries or notes of such conversations using Zoom AI Companion or Microsoft Teams Copilot.

About Sensitive Personal Data: We do not archive nor collect protected categories of data indicated in Articles 9 or 10 of the GDPR.

The Data Controller and Citi entities, branches, subsidiaries, or affiliates, may process your personal information for the reasons set out below.

We do not retain historical account or product information under the legal basis of consent.

Where your consent is required for any further processing (for example if you request any personal data rights, or you ask us to transfer your financial information) you may withhold or withdraw your consent by contacting us using the details previously indicated in Section 3. However, if you do so, we will not be able to perform any specific instructions that require your consent. Withdrawing your consent will not affect the validity or legality of any activities carried out prior to its withdrawal or revocation.

We do not collect or create information about you on the bases of a statutory or contractual requirements. If we do so by virtue of a change in legislation, we will amend this statement to inform you.

We disclose your personal information, as applicable:

1. to the bank or financial institution that acquired the divested consumer finance business portfolio and, subject to legal restrictions, to in-country Citi affiliates, for the purpose of winding down a business line and other purposes identified in this Privacy Statement.
2. in case of threatened or filed litigation, to our counsel and external advisors.
3. in case of substantial business risks and as permitted by applicable law, to our parent and group companies, who may process and exchange personal data with the responsible Citigroup chief trust officer, senior risk officer, compliance officer, tax officer, anti-money laundering officer, fraud officer, audit officer, data protection officer, control officer, Citi leadership team, and Citi managers;
4. at the request of any financial institution, payment infrastructure provider, custodian, sub-custodian, fund houses, fund administrators or issuers of securities, in relation to any maturing payment or repayment of a closed (but still active) trust, loan or investment.
5. as required in order to establish, exercise or defend or to protect legal proceedings, including in relation to contracts with our clients and in order to protect the rights, property, or safety of us, our business, any Citi entities, our clients or others including to legal, tax or other professional advisors, government and law enforcement authorities, and with other parties involved in, or contemplating, legal proceedings;
6. with authorities in any jurisdiction including any government, judicial, or regulatory body of which your Data Controller entity is subject to, in the following cases: (i) if false or inaccurate information was gathered, in case of a criminal or money laundering investigation, (ii) for or in connection with an examination of us by our parent bank or other examiners; (iii) pursuant to subpoena or other legal process; (iv) at the express direction of any other authorised government agency; (v) to our internal or external attorneys or auditors; (vi) to others to whom the Data Controllers are required to make such disclosure by applicable law, including attorneys nominated to represent you under a Lasting Power of Attorney or by the Court of Protection under the Mental Capacity Act 2005.
7. we will also disclose your information:
   1. Without divulging or giving access to your banking or transaction details, to our sub-contractors who we have engaged for storage of your information under robust confidentiality undertakings.
   2. to any bank, financial institution, law firm or company that processes insurance or legal claims (including class actions) on your behalf, whether contractual or not, arising out of a closed or divested relationship, and to the Credit Management Companies you have given authority to; and
   3. to third parties providing data services to us, in respect of any claims or queries arising out of, or in relation with, any agreement that existed between you and us, including specifically our processors (a) Equiniti (in the UK) and (b) Tata Consulting Services (TCS) in Singapore and other countries.
   Where we transfer data for storage, or grant access for processing to entities outside the UK or the EU/EEA, to countries that have not attained a formal Adequacy decision by the European Commission and the UK government, we put in place standard contractual clauses (SCCs) in the form contained in the European Commission Implementing Decision (EU)2021/914 with an UK Addendum, or rely on other valid data transfer mechanisms. We also conduct data transfer impact assessments and set up specific measures to cover any gaps the impact assessment may highlight.

We archive your personal and financial data within the UK and the EU, or as authorised by local regulators, within secured IT virtual servers or private cloud networks, and physical deep archive solutions subcontracted by Citi for electronic and paper records archival entities. Please note that only us, and the bank or financial institution that acquired our consumer finance business, and our respective financial regulators, have a legal right to access or audit personal or financial data.

Due to the nature of electronic communications, data processors store transient copies that are subsequently deleted after the customer data is processed, without a requirement to retain those transient copies under applicable law.

Personal data processed in connection with a closed or divested consumer business is stored during the term in which the relevant product was open or ‘active, followed by a retention period, the length of which is reasonably determined by Citi, taking into consideration regulatory requirements to store bank data for a certain period after termination. In the UK, most information is deleted after 7 years from the closure of your product, unless the product documentation was executed as a Deed, in which case that term is 12 years. Individual transaction records are retained five (5) years after the transaction. In certain cases, such as where an audit, litigation or regulatory requests are taking place, we retain data until these are completed.

12.1 You can ask us to: (a) provide a copy of your personal information; (b) correct errors or mistakes in your personal information; (c) erase your personal information after the data storage and retention periods described in this document; (d) transfer your personal information to other organisations; and (e) restrict processing of your personal information. These rights are limited by law, in particular as this privacy notice relates to the processing of historical data stored in ‘vaults,’ certain rights relating deletion or transfer to a designated person may be impossible or involve a disproportionate effort. Citi does not use or share any data relating to divested consumer finance businesses for marketing purposes.

12.2 If you wish to exercise your data rights, or if you have any queries about your personal information, please contact Canada Square Operations Limited using the contact details provided in Section 2.1 of this Privacy Statement. If you have any unresolved concerns, you can reach out to our GDPR Data Protection Officer. You also have the right to complain to the Information Commissioner’s Office as detailed in Section 2.