PRIVACY POLICY

PRIVACY POLICY OF PEER-TO-PEER LENDING PLATFORM “PASKOLŲ KLUBAS”

Effective as of 15 January 2026

This Privacy Policy (hereinafter referred to as the Policy) defines how NEO Finance, AB (hereinafter referred to as NEO Finance, the Company, we) collects, uses, stores and otherwise processes personal data relating to (i) the Company’s clients and other natural persons who have expressed an interest in the Company or its services, or who access and/or use the Company’s mutual lending platform “Paskolų klubas” (hereinafter referred to as the Platform), including without limitation prospective and existing investors, recipients of consumer credit borrowers, and representatives of business partners and service providers whose personal data are processed for the purposes of cooperation, (ii) visitors of the Company’s website https://www.paskoluklubas.lt/ (hereinafter referred to as the Website) (iii) persons who open and use an electronic money account (hereinafter referred to as Clients, you), and (iv) individuals applying for employment with the Company, and (v) other persons whos personal data is processed in connection with Platform’s services (hereinafter referred to as the Services).

The Policy further establishes the key principles, procedures and requirements applied by the Company in the processing of personal data in order to ensure the confidentiality and security of such data and to safeguard your rights in connection with the provision and use of the Platform’s Services.

Data controller

NEO Finance, AB, legal entity code 303225546, Ukmergės g. 126, LT-08100, Vilnius, e-mail [email protected], is the data controller of your personal data.

If you have any questions regarding the processing of your personal data or the exercise of your rights, please contact our Data Protection Officer by e-mail at [email protected].

WHO ARE WE?

NEO Finance is an electronic money institution (Electronic Money Institution License No. 7 issued on 5 January 2017) and is also included in the public list of peer‑to‑peer lending platform operators (TSPO) administered (supervised) by the Bank of Lithuania and in the public list of consumer credit providers. Using the trademark “Paskolų klubas”, the Company operates a peer‑to‑peer lending platform and provides its clients (Users) with financial services to those who use the Platform with the intention of providing funds to finance Consumer Credits (Investors) and/or to individuals who seek to obtain a consumer credit (consumer credit Borrowers, as specified under the Terms of use of the Platform(https://www.paskoluklubas.lt/en/page/29/general-payment-services-agreements).

We recognize the importance of and care about your privacy and personal data security and we are fully committed to processing personal data relating to our clients and other individuals (including prospective clients and persons expressing an interest in our services) strictly in accordance with the applicable principles, legal requirements and this Privacy Policy.

Please read this Policy carefully in order to understand the terms and conditions governing the processing of your personal data.

Supplementary information regarding the processing of personal data may be provided in other documents (including, without limitation, payment service agreements, the Cookie Policy and/or separate privacy notices). This Privacy Policy shall be read and applied together with such documents.

WHAT PRINCIPLES DO WE FOLLOW WHEN PROCESSING PERSONAL DATA?

In processing personal data, we adhere to the applicable data protection principles and ensure that personal data are processed lawfully, fairly and transparently, are collected for specified, explicit and legitimate purposes, are adequate, relevant and limited to what is necessary, are accurate and, where necessary, kept up to date, and are retained no longer than necessary.

We ensure the confidentiality, integrity and availability of personal data by implementing appropriate technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, as well as against any other unlawful processing.

WHEN DO WE PROCESS YOUR PERSONAL DATA?

We collect and process your personal data only to the extent necessary for the achievement of specified legitimate purposes and only where we have an applicable legal basis for such processing. We may process your personal data where:

such processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract;
we are required to do so in order to comply with a legal obligation to which the Company is subject;
such processing is necessary for the purposes of the legitimate interests pursued by the Company or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms; or
you have provided your consent to the processing of your personal data for one or more specific purposes, to the extent such consent constitutes the relevant legal basis.

Personal data may be collected directly from you, including where you use the Services, enter into agreements with us (in your own name or on behalf of other persons), submit your CV and/or other employment-related information, contact us with enquiries, communicate with us via the Website and/or social media channels, follow our activities on social media, visit the Company’s premises, or otherwise interact with us.

We may also obtain personal data indirectly, including from persons you represent, your spouse(s) (where applicable and lawful), our data processors and other service providers, self-employed persons who provide financial documents for the purposes of assessing your creditworthiness, and/or in the course of providing payment services where the Company acts as a payment service provider. We may further obtain personal data from relevant databases, registers and information systems, as well as from other external sources, including, without limitation, the Bank of Lithuania, other financial institutions and international sanctions lists, to the extent permitted or required by applicable law.

Please note that you are not under a statutory or contractual obligation to provide personal data; however, where such data are required to provide the Services or to achieve other specified purposes, failure to provide the relevant personal data may result in our inability to provide the Services and/or to perform certain actions or obligations.

WHAT PERSONAL DATA DO WE PROCESS?

The scope of personal data processed, including categories of personal data and the processing operations carried out depends on your status and the nature of our relationship with you, as well as on the services you use or enquire about. Accordingly, the personal data processed may vary depending on whether you are our client, a prospective client, a visitor to our Website who seeks information and/or contacts us, a user of the Platform and/or payment services, or an individual participating in a recruitment process for a position within the Company.

PERSONAL DATA PROCESSING WHEN USING THE PEER‑TO‑PEER LENDING PLATFORM SERVICES

REGISTRATION OF INVESTORS ON THE PLATFORM

When you express your wish to become a Platform User and register in order to try the Platform’s functionalities and possibly invest in the future, we process your e‑mail address, telephone number and password.

Purpose of data processing	To register a Platform User (Investor) and administer their account
Legal basis for data processing	GDPR Article 6(1)(b) – performance of a contract with the data subject
Data retention period	12 months from registration on the Platform (if no e-money account agreement is concluded)

REGISTRATION OF CONSUMER CREDIT BORROWERS ON THE PLATFORM

When you register as a Platform User with the intention of borrowing (obtain a consumer credit), we process your first name, last name, personal identification number, e‑mail address, telephone number and password.

Purpose of data processing	To register the Platform User (Credit Recipient) and administer their account
Legal basis for data processing	GDPR Article 6(1)(b) – performance of a contract with the data subject
Data retention period	12 months from registration on the Platform (if no creditworthiness assessment is performed and no e-money account agreement is concluded)

CLIENT (INVESTOR) ONBOARDING (IDENTITY VERIFICATION, IMPLEMENTATION OF ANTI‑MONEY LAUNDERING AND COUNTER‑TERRORIST FINANCING REQUIREMENTS)

When you wish to open an electronic money account, you must fill in an investor’s questionnaire. As a financial institution, we are obliged to check every potential client in accordance with the Anti‑Money Laundering and Counter‑Terrorist Financing and related legal requirements (hereinafter – AML/CTF requirements), including the verification of the potential client’s identity.

When providing our services, we are obliged to collect certain personal data and information and to carry out mandatory procedures set out in AML/CTF requirements – client identification, implementation of the “Know Your Customer” (KYC) principle, and ongoing monitoring of the client and the client’s transactions, in order to ensure that they match the client’s risk profile, financial position and the information held by the Company about the client, enabling us to detect unusual or suspicious transactions. For this purpose we process the following personal data:

If you are a private individual

If you are a legal entity

Name, last name, personal identification code, date of birth, citizenship, address, copy of identity document, identity document data, Customer and beneficiary profile data, personal identification features (live, e-mail/mobile signature, using Idenfy services), when determining identity remotely: e-mail/mobile signature data; image data (personal image (face photo), personal identification document photo, time, date of image transmission);, bank account payment data, value of transactions performed, whether the person holds public office or whether he or his family member is a politically exposed person (PEP)), risk group, pseudonym, alternative names, reason for rejection of identification, identification date, time, IP address, browser data, publication of a person's search

Company name and code
Name, last name, documents confirming representation of the legal entity representative, Client and beneficiary information, client manager information (name, last name, personal code/date of birth, citizenship, personal identity document data, identification features (live, electronic/mobile signature, markID), remote identification: electronic/mobile signature data; image data (personal image (face photo), personal identity document photo, time and date of image transmission); bank account payment data), whether he holds public office or whether he or his family member is a politically exposed person (PEP))
Beneficiary's name, last name, personal identification number, date of birth, citizenship, address, Customer and beneficiary profile data, electronic signature data, when determining identity remotely: electronic signature data; image data (personal image (face photo), photo of personal identification document, time and date of image transmission), sources of funds/income, whether the person holds public office, risk group, pseudonym, alternative names, share of shares and other rights held in a legal entity

Purpose of data processing	Client onboarding – identity verification, implementation of Anti-Money Laundering and Counter-Terrorist Financing and Know Your Customer requirements
Legal basis for data processing	GDPR Article 6(1)(c) – Legal obligation applicable to the Company (the Law of the Republic of Lithuania on the Prevention of Money Laundering and Terrorist Financing, the Law of the Republic of Lithuania on the Implementation of Economic and other International Sanction)
Data retention period	8 years after the end of transactions or contractual/business relationships with the customer

OPENING OF AN ELECTRONIC MONEY ACCOUNT

When you wish to open an electronic money account with us and/or conclude a payment service agreement, depending on whether you are a natural person opening an account and concluding an agreement in your own name or a legal entity wishing to open a company account, we process:

If you are a private individual

If you are a legal entity

Name, last name
Personal code / Date of birth
Email address
Phone number
Residential address
Citizenship
Personal identification document number (ID card or passport)
Individual activity certificate number
electronic money account number (date of opening, money turnover in it)
Account transaction limits
Current account number at another credit institution,
Password
Signature

Contact person (name, last name, position, telephone number, e-mail address)
Personal data of the signatory (name, last name, telephone number, citizenship, personal identification number (if not applicable – date of birth), signature)
Data of the head of the legal entity (name, last name, personal identification number/date of birth, telephone number, e-mail address, address, citizenship, copy of personal identification document)
Final beneficiary details (name, last name, personal identification number/date of birth, email address, address, citizenship, copy of personal identification document)

Purpose of data processing	To open and administer an electronic money account
Legal basis for data processing	GDPR Article 6(1)(b) – Performance of a contract or necessity to take steps at your request prior to entering into a contract
Data retention period	10 years after termination of the agreement and end of business relationship/account closure

CONCLUSION AND PERFORMANCE OF AGREEMENTS WITH INVESTORS (LENDERS)

When you decide to invest on our Platform and conclude an investment agreement, we process: first name, last name, personal identification number, date of birth, place of residence (address), telephone number, e‑mail address, age, amount invested, investment conditions, rating of the person to whom the loan is granted, payment history, pseudonym (nickname), data on representation, date of conclusion of the agreement, method of signing, electronic money account and turnover on it, investment statement, investor status, password (to confirm the investment), nationality, bank accounts.

Purpose of data processing	To conclude and perform the agreement with the investors
Legal basis for data processing	GDPR Article 6(1)(b) – performance of a contract with the data subject
Data retention period	For the duration of the agreement and 10 years after the end of the agreement and/or the fulfilment of obligations under the agreement

WITHHOLDING AND REMITTING INVESTORS’ TAX LIABILITIES

In order to ensure the fulfilment of investors’ mandatory tax obligations, we are obliged to withhold taxes payable from investors’ income and transfer them to the state budget. For this purpose we investors first name, last name, personal identification number, date of birth, place of residence (address), status as a resident/non‑resident of the Republic of Lithuania, amount of interest, amount of tax.

Purpose of data processing

Transferring the taxes payable by investors to the tax authorities

Legal basis for data processing

GDPR Article 6(1)(b) – performance of a contract with the data subject

GDPR Article 6(1)(c) – Legal obligation to which the Company is subject

Data retention period

For the duration of the agreement and 10 years after the end of the agreement and/or the fulfilment of obligations under the agreement

ASSESSMENT OF CONSUMER CREDIT BORROWERS’ CREDITWORTHINESS

In order to determine whether a particular Client can be granted a consumer credit and under what conditions such credit may be granted, following legal requirements and responsible lending principles, the Company must assess the creditworthiness of consumer credit borrowers. For the purposes of the creditworthiness assessment, we process: first name, last name, personal identification number, place of residence and declared place of residence (address), nationality, identity document data and its copy, age, current and previous employer, telephone number, e‑mail address, information about income received, type and sources of income, account statements of accounts receiving income, data of business certificate and individual activity certificate, income and expenses ledger, documents evidencing income changes, tax declaration data, copies of documents evidencing receipt of regular benefits, data about assets held and encumbrances on such assets, number of children and dependants, marital status, desired consumer credit conditions, bank account number, credit rating, credit rating validity period, credit history, types and amounts of desired financial obligations in respect of which a negative decision was taken, existing obligations and delays, consumer credit purpose, data of the credit being refinanced, and whether the person is/is not included in the List of Persons who have requested to be prohibited from entering into consumer credit agreements.

Purpose of data processing

To assess the creditworthiness of consumer credit borrowers

Legal basis for data processing

GDPR Article 6 (1) (b) – performance of a contract with the data subject

GDPR Article 6(1) (c) – Legal obligation applicable to the company (of the Republic of Lithuania on the Prevention of Money Laundering and Terrorist Financing)

GDPR Article 6(1) (a) – consent of the data subject (for updating data)

Data retention period

For the duration of the agreement and 10 years after the end of the agreement and/or the fulfilment of obligations under the agreement (if a contract is concluded on the basis of the submitted application)

3 years from receipt of data (if no agreement is concluded)

CONCLUSION AND PERFORMANCE OF AGREEMENTS WITH CONSUMER CREDIT BORROWERS

When we assess your application and decide to grant consumer credit and enter into a credit agreement, we process the following personal data: your first and last name, personal identification number, residential address, employer, telephone number, email address, rating and the credit rating validity period, pseudonym (nickname), electronic money account details and account turnover, credit history, the purpose of the consumer credit, and—where the credit is granted for refinancing—details of the credit to be refinanced, as well as the date the consumer credit agreement is concluded.

Purpose of data processing	To conclude and execute a consumer credit agreement with consumer credit borrower
Legal basis for data processing	GDPR Article 6(1)(b) – performance of a contract with the data subject
Data retention period	For the duration of the agreement and 10 years after the end of the agreement and/or the fulfilment of obligations under the agreement

IMPLEMENTATION OF “KNOW YOUR CUSTOMER” (KYC) PRINCIPLE AND ANTI‑MONEY LAUNDERING AND COUNTER‑TERRORIST FINANCING (AML/CTF) REQUIREMENTS AND DATA UPDATING

To comply with the Know Your Customer (KYC) principle and the AML/CTF obligations set out in law, we must continuously monitor the client’s business relationship and financial transactions and keep the relevant information up to date. For these purposes, we process information provided in the client and beneficial owner questionnaires, the name, any alternative names, and the number of shares or other rights held in a legal entity

Purpose of data processing	Ongoing monitoring of Clients’ business relationships and financial transactions, and updating of Client data
Legal basis for data processing	GDPR Article 6(1)(c) – Legal obligation applicable to the Company (Law of the Republic of Lithuania on the Prevention of Money Laundering and Terrorist Financing, Law of the Republic of Lithuania on the Implementation of Economic and other International Sanctions)
Data retention period	8 years after the end of transactions or the termination of contractual/business relationships with the client

MONITORING OF SUSPICIOUS FINANCIAL OPERATIONS

In line with legal obligations on preventing money laundering and terrorist financing, we monitor potentially suspicious financial activities and transactions, analyze relevant data, evaluate risk, and, where required by law, provide information to the competent authorities. For these purposes, we process the client’s and beneficial owner’s first and last name, financial operations data (including executed operations or transactions), behavioral data, transaction history, and other relevant information.

Purpose of data processing	To identify and prevent suspicious financial transactions
Legal basis for data processing	GDPR Article 6(1)(c) – Legal obligation applicable to the Company (Law of the Republic of Lithuania on the Prevention of Money Laundering and Terrorist Financing)
Data retention period	8 years after the end of transactions or the termination of contractual/business relationships with the client

SUBMISSION OF DATA INFORMATION SYSTEM INFOBANKAS AND CREDIT BUREAU SYSTEM ADMINISTERED BY UAB "CREDITINFO LIETUVA

For the purpose of transferring data to the information systems and credit bureau system administered by UAB “Creditinfo Lietuva”, we process the following personal data of consumer credit recipients who are late in fulfilling their obligations and persons who were refused a consumer credit: first name, last name, personal identification number, residential address, date of conclusion of the consumer credit agreement, amount of consumer credit, interest, payment term, payment and delay history (amount of debt and payments, dates of debt and payments, debt identification number and type).

For the purpose of submitting data to the information systems and the credit bureau system managed by UAB “Creditinfo Lietuva”, we process the following consumer credit borrowers, who have overdue obligations, personal data as well as individuals whose consumer credit applications were declined: first name, last name, personal identification number, residential address, consumer credit agreement date, consumer credit amount, interest, repayment term, and payment/delinquency history (including the outstanding debt and payments, relevant dates, debt identification number, and debt type).

Purpose of data processing

To submit data to the information system "Infobankas" and the credit bureau system administered by UAB "Creditinfo Lietuva"

Legal basis for data processing

GDPR Article 6(1)(f) – legitimate interest of the Company and third parties (to ensure the Company and other third parties (financial institutions, insurance companies, telecommunications companies, etc.) can properly assess an individual’s creditworthiness/ability to pay and manage indebtedness))

Data retention period

Data are submitted for the duration of the agreement with the consumer credit borrower and until the obligations are fulfilled.

Information about declined consumer credit applications are provided once (UAB “Creditinfo Lietuva” is processing data as an independent controller).

SUBMISSION OF DATA TO THE LOAN RISK DATABASE (PRDB) ADMINISTERED BY THE BANK OF LITHUANIA

To comply with legal obligations, the Company submits information of consumer credit borrowers (recipients of consumer credit) and the loans granted to them to the Loan Risk Database (PRDB) administered by the Bank of Lithuania. For this purpose, we process consumer credit borrowers first name, last name, personal identification number, address, residency status, information on the fulfilment or non-fulfilment of obligations, loan type, agreement status, loan start date, planned end date, application date, loan purpose, agreement ID, signing date, agreement currency, credit amount, total amount payable, monthly instalment, number of instalments, average monthly instalment, annual interest rate, annual percentage rate of charge, payment type, and payment frequency.

Purpose of data processing	To provide data to the Loan Risk Database (PRDB) administered by the Bank of Lithuania.
Legal basis for data processing	GDPR Article 6(1)(c) – Legal obligation applicable to the Company (Rules for the Management of the Loan Risk Database, approved by Resolution No. 03-103 of the Board of the Bank of Lithuania of 28 July 2016)
Data retention period	For the duration of the consumer credit agreement and until the obligations are fulfilled

CONCLUSION AND PERFORMANCE OF REMUNERATED SURETYSHIP AGREEMENTS

When the Company provides crowdfunding services to investors and seeks to conclude and perform a remunerated guarantee agreement, we process personal data of investors (lenders) and consumer credit borrowers (consumer credit recipients):

Creditor’s first name, last name, personal identification number, address, date of birth, address, data on representation, amount invested;
Personal data of the credit recipient are stored to the same extent as in a case where an individual applies for a consumer credit (data processed for the creditworthiness assessment).

Purpose of data processing	To conclude and execute a paid suretyship agreement
Legal basis for data processing	GDPR Article 6(1)(b) – performance of a contract with the data subject
Data retention period	For the duration of the agreement and 10 years after the end of the agreement and/or the fulfilment of obligations under the agreement

COMMUNICATION WITH ELECTRONIC MONEY ACCOUNT HOLDERS

When you open an electronic money account with the Company, in order to clarify your needs we may contact you so that we can better understand and assess your needs and provide you with the best offer or assist you if you encounter difficulties in completing applications, questionnaires, etc. For this purpose we process: first name, last name, contact details (telephone number and e‑mail address/address).

Purpose of data processing	Contacting individuals who have opened e-money accounts to identify their needs
Legal basis for data processing	GDPR Article 6(1)(a) – consent of data subject
Data retention period	For the duration of the agreement

DEBT ADMINISTRATION AND RECOVERY

In carrying out debt prevention, administration and recovery, we process personal data of consumer credit recipients who are late in fulfilling their obligations, including automated reminders of outstanding obligations and actions in out‑of‑court and court recovery processes. For this purpose we process: first name, last name, personal identification number, date of birth, place of residence (address), telephone number, e‑mail address, amount of debt, length of delay, payment date, employer, data on solvency for the purposes of debt recovery, collateral held.

For debt prevention, administration, and recovery purposes, we process the consumer credit borrowers, who have overdue obligations, personal, including sending automated reminders about outstanding liabilities and taking steps in both out-of-court and court recovery proceedings. For these purposes, we process first name, last name, personal identification number, date of birth, residential address, telephone number, e-mail address, debt amount, duration of the delay, payment date, employer, solvency-related data for debt recovery purposes, and information on any collateral held.

Purpose of data processing	To ensure proper administration and collection of incurred debts from consumer credit borrowers
Legal basis for data processing	GDPR Article 6 (1) (f) – legitimate interest of the Company and a third party (investors) – to recover the lent and/or invested funds
Data retention period	For the duration of the agreement and 10 years after the end of the agreement and fulfilment of obligations, completion of debt recovery, or drafting of a certificate that the debt is irrecoverable

REFERRAL PROGRAMME “INVITE A FRIEND”

To expand our business and grow our client base, existing clients may refer their friends, acquaintances, or other individuals to become our clients and join the group of “Platform investors. For the purpose of administering the referral program, we process the client’s first name, last name, e‑mail address, the amount of remuneration payable for the referral, and the referral code.

Purpose of data processing	To enable the client to invite a friend to join the Platform and receive additional remuneration
Legal basis for data processing	GDPR Article 6 (1) (a) – consent of the data subject
Data retention period	3 months after the invited person’s registration on the Platform

COMPLAINT HANDLING

To ensure proper handling and administration of complaints, we process personal data of the Company’s clients and other persons who have submitted a complaint: first name, last name, address, telephone number, e‑mail address, date of complaint, other personal data provided in the complaint and/or necessary for the examination of the complaint, technical data (if the complaint is submitted by electronic means – IP address, location, device, browser, etc.).

Purpose of data processing	To investigate a complaint from a customer or other person
Legal basis for data processing	GDPR Article 6(1)(c) – Legal obligation applicable to the Company (Resolution No. 03-105 of the Board of the Bank of Lithuania of 6 June 2013) (this basis applies when a client or a third party submits a complaint regarding the services provided by the Company)
Data retention period	3 years after the resolution of the complaint

HANDLING REQUESTS AND ENQUIRIES AND PROVIDING RESPONSES

To ensure effective communication with clients, to examine their requests and enquiries and to provide responses, we process personal data of clients: first name, last name, e‑mail address, message text, subject if an enquiry is submitted via the Company’s website, technical data (if the request is submitted by electronic means – IP address, location, device, browser, etc.).

Purpose of data processing	To ensure effective communication with clients by reviewing and responding to their requests and inquiries
Legal basis for data processing	GDPR Article 6 (1) (c) – performance of a contract with the data subject
Data retention period	For the duration of the agreement

RECORDING OF TELEPHONE CALLS FOR THE PURPOSE OF ENSURING CUSTOMER SERVICE QUALITY, FRAUD PREVENTION AND CREDITWORTHINESS ASSESSMENT

To maintain high standard of client service quality, ensure proper provision of our services, prevent potential fraud and conduct client creditworthiness assessment, we record telephone conversations This enables us to objectively analyze client service processes, identify and resolve potential disputes, ensure transparency of communication, and protect the interests of both our clients and the organization. For these purposes, we process incoming and outgoing voice calls and their recordings, the date, time and duration of the call, the caller’s telephone number, voice data, and any other personal data disclosed during the call (including first name, last name, contact details, and financial data such as income and obligations).

Purpose of data processing

To ensure customer service quality, fraud prevention and creditworthiness assessment

Legal basis for data processing

GDPR Article 6(1)(a) – consent of the data subject

GDPR Article 6(1)(f) – legitimate interests of the Company (processing of employee personal data)

Data retention period

3 months – recordings for client service quality assurance

3 years – recordings for fraud prevention

10 years after the end of the agreement or fulfilment of obligations – recordings for creditworthiness assessment (when a consumer credit agreement is concluded). If no agreement is concluded – 3 years from the creditworthiness assessment

ADMINISTRATION OF THE PLATFORM’S SELF‑SERVICE PORTAL

To ensure the proper operation and administration of the Platform’s Self-Service Portal, we process personal data of the Company’s clients (consumer credit borrowers, investors, and representatives): access credentials (login name/username (e-mail address)), password, personal identification number when signing in via Smart-ID or mobile signature, and telephone number when signing in via mobile signature), Platform access and usage records (login date and time, and actions performed within the system), and client profile details (client category—credit recipient or investor, investor status, first name, last name, company, position, e-mail address, telephone number, password, and IP address).

Purpose of data processing	Proper administration of the Platform’s Self-Service Portal
Legal basis for data processing	GDPR Article 6(1)(b) – performance of a contract with the data subject
Data retention period	For the duration of the agreement and 10 years after the end of the agreement and/or the fulfilment of obligations under the agreement

DIRECT MARKETING ACTIVITIES

In performing direct marketing activities and seeking to provide you with relevant information about the Company’s services, offers and promotions that may be relevant to you, as well as requesting to provide feedback on our services, thereby helping us to improve service quality or offer you new and relevant services, we process e‑mail address, telephone number, first name, last name, information on whether the newsletter was read, when and how many times it and the information in it were opened.

Purpose of data processing

Provide customers with direct marketing communication (newsletters, information about services, ongoing promotions, asking for opinions on the services provided)

Legal basis for data processing

GDPR Article 6(1)(f) – legitimate interest of the Company (to provide clients with relevant information about the Company’s services and offers that may be of interest, as well as requests to provide feedback on the Company’s services)

GDPR Article 6(1)(a) – consent of the data subject (where, after having objected to data processing for direct marketing purposes, the data subject later re-expressed a wish to receive direct marketing messages)

Data retention period

For the duration of the agreement with the data subject or until the data subject objects to data processing for direct marketing purposes

5 years from the date of consent or until the consent is withdrawn (where data are processed on the basis of consent)

ORGANISATION AND REGISTRATION FOR COMPANY ORGANIZED EVENTS

To organize and host events (such as conferences, trainings, meetings, and other activities) and to manage participant registration, we process the personal data of individuals who wish to attend and register: first name, last name, e-mail address, and the event details (name, date, and location).

Purpose of data processing	To organize events and carry out participant registration
Legal basis for data processing	GDPR Article 6(1)(b) – performance of a contract with the data subject
Data retention period	30 days after the event

ORGANISATION OF LOTTERIES AND GAMES

To organize lotteries and games and to enhance the Company’s visibility, we process clients’ first name, last name, prize won, address.

Purpose of data processing

To organize games and lotteries for the Company's clients

Legal basis for data processing

GDPR Article 6(1)(b) – performance of a contract with the data subject

GDPR Article 6(1)(a) – consent of the data subject (for public disclosure of data)

Data retention period

For the duration of the game and 30 days after announcement of the winner

DECLARATION OF PRIZES

To ensure compliance with tax obligations and declaration of amounts won by persons in lotteries and games, we process personal data of clients who have won prizes: first name, last name, personal identification number, monetary value of the prize, taxes payable.

Purpose of data processing	To declare the client’s prize to the Tax Authorities
Legal basis for data processing	GDPR Article 6(1)(c) – Legal obligation applicable to the Company
Data retention period	10 years

RECRUITMENT FOR OPEN POSITIONS IN THE COMPANY

When you apply for an open position with the Company, we process the personal data of candidates,: first name, last name, date of birth, place of residence (address), telephone number, personal e‑mail address, data on qualifications and education, CV and other data provided therein, as well as information generated during the recruitment assessment process (e.g., interview summaries, the views and notes of the person(s) conducting the recruitment, and test results where testing is carried out).

Purpose of data processing	To carry out employee recruitment and assess a candidate’s suitability for specific position
Legal basis for data processing	GDPR Article 6 (1) (c) – consent of the data subject
Data retention period	1 month after the end of recruitment for the specific position

If, after the recruitment process, we do not offer you an employment contract but believe you could be a good fit for future vacancies, we will—with your consent—retain and use your data so that we can contact you when a suitable position is announced. For this purpose, we process: first name, last name, date of birth, residential address, telephone number, personal e-mail address, information on qualifications and education, and your CV together with any other data included in it.

Purpose of data processing

To offer well‑evaluated candidates who have not been offered employment the opportunity to apply for newly created or vacant positions in the future

Legal basis for data processing

GDPR Article 6(1)(c) – consent of the data subject

Data retention period

1 year from receipt of consent

PROFILING AND AUTOMATED DECISION‑MAKING

Profiling is a form of data processing in which clients are grouped or classified according to personal characteristics relating to individuals (e.g. financial indicators, behavioral data, service usage history). his is done to choose the most appropriate service model, tailor offers, or assess risk—for example, for anti-money laundering purposes.

Automated decision‑making refers to situations where decisions about a person are made solely through automated means, without direct human involvement. The Company does not make such solely automated decisions that produce legal effects for the data subject or otherwise significantly affect the data subject, unless such processing is permitted by law or the data subject has provided explicit consent.

The Company performs profiling in order to carry out analyses necessary for providing consultations, for direct marketing purposes, and for decision‑making by automated means. Profiling contributes to processes such as creditworthiness assessment, risk management and transaction monitoring, especially in the context of fraud prevention. These processes may include automated data collection from various data sources, preliminary assessments and conclusions regarding the possibility to use services, in accordance with applicable legal acts and internal procedures.

Profiling is carried out on the following legal grounds:

Compliance with a legal obligation – when profiling is necessary for risk assessment for anti-money laundering purposes, as provided for by law.
Explicit consent of the data subject or legitimate interests – when profiling is carried out for the purposes of direct marketing or personalization of services.
Legitimate interest – in certain cases where profiling is necessary to better understand customer needs, improve services and ensure their efficient provision.

TO WHOM CAN WE DISCLOSE YOUR PERSONAL DATA?

We may provide or share your personal data with third parties depending on the legal basis for disclosure and the measures used to protect the data during transfer. This may include service providers we engage (data processors) who support us in delivering services and therefore need to process your data, as well as other recipients. Our data processors handle personal data only under Data Processing Agreements, which set out the processing terms and security requirements. They process personal data solely on our instructions, within the scope we define, and only to the extent necessary for the specified purposes. Even where we outsource processing to data processors, we remain responsible for ensuring the security of your personal data.

We may disclose your personal data to, for example:

IT service providers (e.g., hosting service providers and suppliers responsible for the development and maintenance of our information systems);
providers of AML/CTF and fraud-prevention services;
data center and infrastructure service providers (e.g., server rental services).

Other recipients to whom the Company discloses personal data act as independent controllers, meaning they determine the purposes and means of processing themselves. Your data may be disclosed to:

professional service providers (e.g., auditors, consultants, notaries, bailiffs, and providers of legal services, including lawyers);
public authorities where we are required to disclose data (e.g., the State Tax Inspectorate under the Ministry of Finance, the Bank of Lithuania, the Financial Crime Investigation Service under the Ministry of the Interior, the Police or other law enforcement bodies, courts, etc.);
other parties, where you have provided your consent.

Where necessary, we may also transfer or provide access to your personal data to IT support providers—for instance, to resolve customer service issues or to investigate and remedy security incidents.

As a rule, your personal data are processed within the European Union / European Economic Area (EU/EEA). However, certain service providers or partners may be located outside the EU/EEA, meaning that in some cases we may need to transfer your personal data to third countries. Where transfers outside the EU/EEA are required, we ensure appropriate safeguards so that your data remain protected and you can exercise your rights and access effective remedies. Transfers to third countries take place only where at least one of the following mechanisms applies:

the transfer is based on an Adequacy Decision of the European Commission;
the transfer is subject to appropriate safeguards, such as contracts incorporating the European Commission’s Standard Contractual Clauses;
in specific cases, the transfer is carried out on the basis of your explicit consent for the particular purpose.

WHAT RIGHTS DO YOU HAVE?

As a data subject, you are entitled to exercise all rights granted under the GDPR, including:

· Right to be informed and right of access – to obtain confirmation as to whether we process your personal data and, where we do, to access those data;

· Right to rectification – to request that inaccurate or incorrect personal data be corrected;

· Right to restriction of processing (other than storage) – to request that processing be limited where you consider the data to be inaccurate, incomplete, incorrect, or processed unlawfully;

· Right to erasure (“right to be forgotten”) – to request deletion of personal data where one of the grounds in Article 17(1) of the Regulation applies, unless we must retain the data under legal obligations or for the establishment, exercise, or defense of legal claims;

· Right to object – to object to processing carried out on the basis of legitimate interests, including profiling, unless we demonstrate compelling legitimate grounds overriding your interests, rights, and freedoms, or the processing is necessary for legal claims;

· Right to data portability – to receive the personal data you have provided to the Company in a structured, commonly used, machine-readable format and, where technically feasible, to transmit those data to another controller, where processing is based on consent or a contract and is carried out by automated means;

· Right not to be subject to solely automated decision-making, including profiling;

· Right to withdraw consent – to withdraw consent at any time by notifying the Company in the manner indicated: by using the link at the end of an e-mail or, in the self-service area, by clicking “I object” (for direct marketing), by calling +37070080075 (for direct marketing), or by sending a request by e-mail to [email protected].

If you believe that the Company’s actions or failure to act infringes your rights or applicable legal requirements, you may submit a complaint to the supervisory authority, the State Data Protection Inspectorate.

HOW CAN YOU EXERCISE YOUR RIGHTS?

You may exercise your rights either personally or via an authorized representative by submitting a free-form request to us. Requests may be made verbally or in writing, in person, by post, or electronically (by e-mail to [email protected]). Your request must be clear and sufficiently detailed, specifying your first and last name, which rights you wish to exercise and to what extent, how you would like to receive our response, and it must be signed. If the request is submitted electronically, we will respond electronically as well, unless you ask in advance for a different format.

To process your request, we must verify your identity, usually by asking you to present an identity document. If your identity cannot be confirmed, we will not be able to accept the request and your rights cannot be exercised. This requirement does not apply where you contact us solely for information about personal data processing under Articles 13 and 14 of the GDPR.

When reviewing your request, we have both the right and the duty to confirm your identity, and we will do so in the simplest and most convenient way for you. Your request should therefore include enough information to enable reasonable identity verification. If the request is submitted through a representative, it must be accompanied by a written power of attorney and information confirming the representative’s identity. Where there are reasonable doubts about the identity of the person submitting the request, we may ask for additional information needed to confirm identity.

We aim to assess requests and provide the requested information without delay, and in any event no later than within 30 calendar days from the date we receive the request. If, due to particular circumstances, the complexity of the request (including where we need assistance from engaged data processors), or the volume of requests, we cannot meet this deadline, we may extend the response period by up to two additional months and will inform you promptly. We will also notify you if your request does not comply with the procedure described in this section and will indicate what is missing. If you do not remedy the identified deficiencies, or do not provide justified reasons why they cannot be remedied, we will not be able to examine your request.

Requests are handled and information is provided free of charge. However, in certain cases we may refuse to act (e.g., where a request is manifestly unfounded, excessive, or repetitive) or charge a fee reflecting the administrative costs of providing the requested information, notifications, or actions, in line with legal requirements and the Company’s established fees (for example, in cases of clear abuse of rights or unjustified repeated requests for information, data, extracts, documents, etc.).

LINKS TO OTHER WEBSITES

Our Website may include links to third-party websites, for example to the Company’s social media profiles (LinkedIn, Facebook). This Policy does not apply to any personal data processing carried out by those third parties, including social network providers. The Company is not responsible for content on such websites that is not posted by the Company, nor for those parties’ data processing practices or other activities. We encourage you to review the privacy policies and data processing terms of any external websites you visit via links provided on our Website.

VALIDITY AND UPDATING OF THE PRIVACY POLICY

We periodically review this Privacy Policy and may amend or supplement it where required, for example due to changes in applicable laws, the technologies we use, or our operations. Any updates will be published on our Website, and we encourage you to check the Policy from time to time to stay informed of changes. Amendments take effect on the date they are published on the Website, or on another effective date stated in the Policy. If you continue using our services after the updated Policy becomes effective, we will treat this as your acceptance of the changes.

If you have any questions regarding the Privacy Policy or the processing of your personal data, please contact us:

by e‑mail to [email protected]
by phone at +370 700 80 075
by post to Ukmergės g. 126, LT‑08100, Vilnius, Lithuania.

This Privacy Policy was last updated and became effective on 15 January 2026.

Cookie name	Provider	Purpose	Valid period	Type
hl	paskoluklubas.lt	Used to save website language	1 year	Necessary
PHPSESSID	NEO Finance, AB	Cookie is designed to realize the functionality of a website.	Session	Necessary
cookies_warning_dismissed	neofinance.com	Remembers that you dismissed the cookies notification	Until obtaining consent.	Necessery
JSESSIONID	neofinance.com	Is a cookie in J2EE web application which is used in session tracking.	Session	Necessery
_ptref	Prezi	Cookie targets ads based on behavioural profiling and geographical location.	1 d.	Marketing

Cookie name	Provider	Purpose	Valid period	Type
_fbp	Facebook	Is used to distinguish and keep track of your unique users.	90 d.	Marketing
_clck	Microsoft Clarity	to store a unique user ID.	1 year	Marketing
_fbc	Facebook	Is only set when a user arrives at website from an Ad	90 d.	Marketing
_webpushrEndPoint	Webpushr	To store user preferences	Session	Marketing
_webpushrLastVisit	Webpushr	This cookie stores timestamp associated with the user’s last visit on the site.	Session	Marketing
aid	Google Analytics	This cookie links your activities on other devices previously logged into using your Google account.	2 y.	Marketing
rl_trait	RudderStack	To store performed actions on the website.	1 y.	Marketing
CONSENT	neofinance.com	The cookie is intended to indicate that the user has accepted cookies	1 y.	Marketing
__Secure-3PAPISID	Google	Builds a profile of website visitor interests to show relevant and personalised ads through retargeting.	2 t.	Marketing
__Secure-3PSID	Google	Builds a profile of website visitor interests to show relevant and personalised ads through retargeting.	2 y.	Marketing
BITRIX_SM_GUEST_ID	Bitrix	Stores information about the unique ID of the website authorized user	1 y.	Marketing
ANONCHK	Microsoft Clarity	This cookie ensures that clicks from advertisement on the Bing search engine are verified and it is used for reporting purposes and for personalization.	10 minutes	Marketing
MUID	Microsoft Clarity	to store and track visits across websites.	1 year	Marketing

Cookie name	Provider	Purpose	Valid period	Type
_vwo_uuid_v2	Visual Website Optimizer (VWO)	Used to track visitor movements anonymously.	366 d.	Statistics
_hjid	Hotjar	It is used to persist the Hotjar User ID	365 d.	Statistics
_gcl_au	Google Ads	Is used by Google AdSense for experimenting with advertisement efficiency	90 d.	Statistics
_ga	Google analitics	Used to distinguish users.	90 d.	Statistics
_gid	Google Analitics	Used to distinguish users.	90 d.	Statistics
_hjAbsoluteSessionInProgress	Hotjar	This cookie is used to detect the first pageview session of a user.	30 min.	Statistics
_gcl_aw	Google Ads	Is used by the conversion linker for click information	90 d.	Statistics
_gaexp	Google Analitics	To store ID's of experiments and sessions for A/B testing.	90 d.	Statistics
_ga_1QNMPY3YPM	G4 Analytics	Wordt gebruikt om de sessiestatus te behouden.	2 years	Statistic
_hjIncludedInSample	Hotjar	Helps with Hotjar features by identifying visitors during a session.	Session	Statistics
_clsk	Microsoft Clarity	To store and combine pageviews by a user into a single session recording.	1 day	Statistical
_uetsid	Microsoft Bing Ads	It allows to engage with a user that has previously visited website.	30 min. after session	Statistics
_uetvid	Microsoft Bing Ads	It allows to engage with a user that has previously visited website.	16 d.	Statistics
_hjSessionRejected	Hotjar	This cookie is only applied in extremely rare situations to prevent severe performance issues	Session	Statistics
_hjTLDTest	Hotjar	When the Hotjar script executes try to determine the most generic cookie path should use, instead of the page hostname. This is done so that cookies can be shared across subdomains (where applicable).	Session	Statistics
__utmc	Google Analitics	Information to the server sent anonymously. Cookies identify unique visitors and monitors the user sessions	6 m.	Statistics
_gat_myTracker	Google Analytics, VWO	Cookie required for testing	Session	Statistics
_hjIncludedInPageviewSample	Hotjar	This cookie is set to let Hotjar know whether that user is included in the data sampling defined by site's pageview limit.	30 min.	Statistics
__utmz	Google Analytics	This cookie stores how the user reached website, whether it is directly by.	Session	Statistics
_hjFirstSeen	Hotjar	This is set to identify a new user's first session.	Session	Statistics
__utma	Google Analytics	This cookie is typically written to the browser upon the first visit to site from that web browser.	2 y.	Statistics
__utmt	Google Analytics	To store number of service requests.	10 min.	Statistics
__utmb	Google Analytics	To store time of visit.	Session	Statistics
_vis_opt_test_cookie	Visual Website Optimizer	This is a session cookie generated to detect if the cookies are enabled on the browser of the user or not.	Session	Statistics
_uetmsclkid	Microsoft Bing Ads	The advertiser’s site to capture the Microsoft Click ID from the URL.	90 d.	Statistics
_hjIncludedInSessionSample	Hotjar	This cookie is set to let Hotjar know whether that user is included in the data sampling defined by site's daily session limit.	30 min.	Statistics
_vwo	Visual Website Optimiser (VWO)	It generates a unique id for every visitor and is used for the report segmentation feature in VWO, and it also allows you to view data in a more refined manner.	74 y.	Statistics
_v	neofinance.com	To register a unique page load ID.	Session	Statistics
OTZ	Google Analytics	Cookie used to provides an aggregate analysis of Website visitors	7 min	Statistics
_gat	Google Analitics	These cookies are used to collect information about how visitors use website.	1 d.	Statistics
_gaexp_rc	Google Analytics	This cookie is used by Google Analytics to determine if the visitor is included in campaigns.	10 sec.	Statistics
_opt_expid	Google Ads	This cookie is generated by testing the redirect page version. It stores the test ID, the variation ID, and the redirect to the page that is being redirected.	10 sek.	Statistics
prli_visitor	Pretty Links	Cookie collect information in an anonymous form, including the tracking of visitor activity across clicks, the number of clicks per link and where visitors have come to the site from.	1 y.	Statistics
ai_user	Microsoft Application	This is a unique user identifier cookie enabling counting of the number of users accessing the application over time.	1 y.	Statistics
CLID	Microsoft Clarity	The purpose of this cookie is for heatmap and session recording.	1 year	Statistical
MR	Microsoft Clarity	Indicates whether to refresh MUID.	1 week	Statistical
SM	Microsoft Clarity	Used by Microsoft's Clarity analytics service to synchronise the MUID across Microsoft domains.	end of session	Statistical