PRIVACY POLICY

8LENDS DECENTRALIZED CROWDLENDING PLATFORM

Operated by Alpha Systems LLC

(A Virtual Asset Service Provider Registered under the Virtual Asset Business Act, 2022)

Effective Date: 01.01.2026

PART I – INTRODUCTION AND SCOPE

1. INTRODUCTION AND COMMITMENT

1.1 Data Controller. Alpha Systems LLC (“Company”, “we”, “us”, or “our”), a limited liability company incorporated under the Limited Liability Companies Act (Chapter 151 of the Revised Laws of Saint Vincent and the Grenadines), Company No. 3895 LLC 2024, with its registered office at Suite 305, Griffith Corporate Centre, Beachmont, Kingstown, Saint Vincent and the Grenadines, operates the 8lends decentralized crowdlending platform (the “Platform”). For the purposes of applicable data protection principles, the Company is the data controller responsible for the collection, use, storage, and disclosure of personal data in connection with the Platform and Services.

1.2 Data Protection Commitment. We are committed to protecting your privacy and ensuring that your personal data is handled responsibly, transparently, and in accordance with applicable data protection principles. While Saint Vincent and the Grenadines does not currently have comprehensive data protection legislation equivalent to the European Union’s General Data Protection Regulation (“GDPR”), we voluntarily adopt and contractually commit to data protection standards substantially equivalent to those established under the GDPR and other leading international data protection frameworks. This commitment is made as a contractual term of our relationship with you, enforceable under the General Terms and Conditions.

1.3 Regulatory Framework. Our data protection practices are designed to comply with the requirements of section 11(6) of the Virtual Asset Business Act, 2022 (No. 9 of 2022, as amended) (“VABA”), which requires registrants to implement policies to ensure that: (a) the collection, storage, use, and disclosure of personal information is legitimate and for purposes related to the business; (b) personal information is protected from unauthorised access; and (c) personal information is kept confidential. Additionally, we comply with the record-keeping requirements under the Anti-Money Laundering and Terrorist Financing Regulations, 2014 (S.R.O. No. 20 of 2014, as amended) (“AML/CFT Regulations”).

1.4 Relationship with Terms. This Privacy Policy should be read together with our General Terms and Conditions, which govern your use of the Platform and Services. By accessing or using the Platform, you acknowledge that you have read, understood, and consent to the collection, use, and disclosure of your personal data as described in this Privacy Policy. Capitalised terms used but not defined in this Privacy Policy have the meanings given to them in the General Terms and Conditions.

2. DATA PROTECTION OFFICER

2.1 Contact Details. Although not legally required in Saint Vincent and the Grenadines, we have appointed a Data Protection Officer (“DPO”) to oversee our data protection practices and to serve as your point of contact for all privacy-related matters. The DPO can be contacted at: aleksandr.lang@8lends.io. For general inquiries, you may also contact: hello@8lends.io.

2.2 Registered Address. Our registered address for data protection correspondence is: Alpha Systems LLC, Teichgässlein 9, 4058 Basel, Switzerland

3. SCOPE AND APPLICATION

3.1 Scope. This Privacy Policy applies to:

(a) all individuals who access or use the Platform, whether as visitors, registered users, Investors, or Borrowers;

(b) personal data collected through the Platform, mobile applications, websites, and related services;

(c) personal data collected through communications with us, including email, telephone, chat, and social media;

(d) personal data received from third parties in connection with our services, including identity verification providers, blockchain analytics providers, and Maclear AG;

(e) personal data relating to directors, officers, Beneficial Owners, and authorised representatives of corporate Users.

3.2 Exclusions. This Privacy Policy does not apply to: (a) third-party websites, applications, or services that may be linked to or accessible from the Platform; (b) personal data processed by Borrowers in connection with their business activities; or (c) information that has been anonymised or aggregated such that it can no longer identify any individual. We encourage you to review the privacy policies of third parties before providing them with your personal data.

PART II – PERSONAL DATA COLLECTION

4. CATEGORIES OF PERSONAL DATA COLLECTED

4.1 We collect and process the following categories of personal data, the specific items of which are determined by Applicable Law and the nature of your relationship with us:

4.1.1 Identity Data: Full legal name (including any former names); date of birth; place of birth; nationality and citizenship; gender; government-issued identification documents (passport, national identity card, driver’s licence); photographs and biometric data for identity verification; specimen signature; and any other identification information required for Customer Due Diligence purposes under Regulations 9 to 15 of the AML/CFT Regulations.

4.1.2 Contact Data: Residential address; postal address (if different); email address; telephone number; mobile telephone number; and social media handles or identifiers (where provided).

4.1.3 Financial Data: Source of funds; source of wealth; employment status, occupation, and employer details; annual income and net worth; bank account details; cryptocurrency wallet addresses; transaction history on the Platform; investment preferences and risk tolerance; tax identification numbers; and any other financial information required for Customer Due Diligence or tax reporting purposes.

4.1.4 Corporate Data: For legal entity Users: company name; registration or incorporation number; jurisdiction of incorporation; registered office address and principal place of business; constitutional documents (memorandum and articles of association); corporate structure and ownership charts; details of directors, officers, shareholders, Beneficial Owners, and authorised representatives; board resolutions; certificates of good standing; and any other corporate information required for Customer Due Diligence purposes.

4.1.5 Technical Data: Internet Protocol (IP) address; browser type, version, and settings; device identifiers, type, and operating system; time zone setting and location data derived from IP address; login timestamps and session data; page response times; and information collected through cookies, web beacons, pixel tags, and similar technologies.

4.1.6 Usage Data: Information about your interactions with the Platform, including pages and features viewed; navigation paths; investment activities and transaction history; search queries; clickstream data; and engagement metrics.

4.1.7 Communication Data: Records of correspondence and communications with us, including emails, chat transcripts, support tickets, telephone call recordings (where disclosed), and any feedback, complaints, or surveys submitted.

4.1.8 Regulatory Data: Information required for anti-money laundering, counter-terrorist financing, and sanctions compliance, including screening results against sanctions lists (United Nations, European Union, OFAC, OFSI), Politically Exposed Person (PEP) databases, adverse media, and law enforcement databases; suspicious activity indicators; and information provided to or received from the Financial Intelligence Unit (FIU), Financial Services Authority (FSA), or other regulatory or law enforcement authorities.

5. METHODS OF COLLECTION

5.1 Information Provided Directly. We collect personal data that you provide directly when you: (a) create an Account or register on the Platform; (b) complete Customer Due Diligence verification; (c) make investments or conduct transactions; (d) contact customer support or submit inquiries; (e) subscribe to marketing communications or newsletters; (f) participate in surveys, competitions, or promotions; (g) provide feedback or complaints; or (h) engage with us through social media.

5.2 Information Collected Automatically. When you access or use the Platform, we automatically collect Technical Data and Usage Data through cookies, web beacons, pixel tags, software development kits (SDKs), and similar technologies. This includes: (a) device information (type, model, operating system, unique identifiers); (b) log data (access times, pages viewed, IP address, referring URL); (c) location data derived from IP address; and (d) information about your use of Platform features.

5.3 Information from Third Parties. We may receive personal data from the following third-party sources:

(a) Identity verification providers (including Truiloo and Persona) who verify your identity documents and biometric data;

(b) Blockchain analytics providers (including Chainalysis and Elliptic) who provide wallet screening, transaction monitoring, and risk scoring;

(c) Maclear AG (our parent company and collateral manager) who provides Borrower verification and due diligence information;

(d) Sanctions screening and PEP database providers;

(e) Credit reference and fraud prevention agencies;

(f) Publicly available sources, including company registries, court records, and government databases;

(g) Regulatory and law enforcement authorities in connection with investigations or requests for information.

5.4 Blockchain Data. When you interact with blockchain networks through the Platform, certain information including wallet addresses and transaction details is recorded on the public blockchain. This information is visible to anyone with access to the blockchain and is not controlled by us. We may associate publicly available blockchain data with your Account for compliance and service delivery purposes.

PART III – USE OF PERSONAL DATA

6. PURPOSES OF PROCESSING

6.1 We process your personal data for the following purposes:

6.1.1 Service Delivery and Contract Performance: To create and manage your Account; verify your identity and eligibility; provide access to the Platform and Services; process and execute your investment transactions; distribute investment returns and manage loan repayments; provide customer support and respond to inquiries; communicate service-related information and notifications; maintain and improve the Platform; and fulfil our contractual obligations to you under the General Terms and Conditions.

6.1.2 Legal and Regulatory Compliance: To conduct Customer Due Diligence and verify your identity in compliance with Regulations 9 to 15 of the AML/CFT Regulations; screen against sanctions lists and PEP databases in accordance with international standards; monitor transactions for suspicious activity and file Suspicious Activity Reports (SARs) with the FIU as required by Regulation 20 of the AML/CFT Regulations; comply with record-keeping requirements under Regulation 22 of the AML/CFT Regulations (seven-year retention); comply with regulatory reporting requirements under the VABA; implement the Travel Rule for virtual asset transfers in accordance with FATF Recommendation 16; and respond to lawful requests from regulatory authorities, law enforcement, courts, and government agencies.

6.1.3 Legitimate Business Interests: To protect the security, integrity, and availability of the Platform; detect, prevent, and investigate fraud, security breaches, and prohibited activities; enforce our General Terms and Conditions; analyse usage patterns and improve our Services; develop new products, features, and services; conduct business analytics and research; manage risk; protect our legal rights and pursue available remedies; and facilitate corporate transactions such as mergers, acquisitions, or restructurings.

6.1.4 Marketing and Communications (with Consent): Where you have provided your consent, to send marketing communications about our products, services, and promotions; send newsletters and platform updates; personalise your experience and content; and conduct surveys and market research.

7. LEGAL BASIS FOR PROCESSING

7.1 In accordance with our voluntary commitment to GDPR-equivalent standards, we rely on the following legal bases for processing your personal data:

(a) Consent: Where you have given clear, specific, informed, and unambiguous consent for us to process your personal data for a particular purpose, such as receiving marketing communications. You may withdraw your consent at any time as described in Clause 13.

(b) Contractual Necessity: Where processing is necessary to perform our contract with you (the General Terms and Conditions) or to take steps at your request prior to entering into a contract, such as processing your Account registration or executing your investment transactions.

(c) Legal Obligation: Where processing is necessary to comply with a legal obligation to which we are subject, including AML/CFT requirements under the AML/CFT Regulations, regulatory requirements under the VABA, and lawful requests from authorities.

(d) Legitimate Interests: Where processing is necessary for our legitimate interests or those of a third party, provided such interests are not overridden by your fundamental rights and interests. Our legitimate interests include fraud prevention, security, network and information security, business analytics, and enforcement of our legal rights.

7.2 Legitimate Interests Assessment. Where we rely on legitimate interests, we have conducted a balancing assessment to ensure that your rights and interests do not override our legitimate interests. You may request information about our legitimate interests assessments by contacting us at aleksandr.lang@8lends.io.

PART IV – DISCLOSURE AND SHARING OF PERSONAL DATA

8. RECIPIENTS OF PERSONAL DATA

8.1 We may share your personal data with the following categories of recipients:

8.1.1 Affiliated Companies: Maclear AG (our parent company incorporated in Switzerland), which provides Borrower verification, collateral management, and due diligence services. Maclear AG processes personal data in accordance with Swiss data protection law and is bound by contractual data protection obligations equivalent to those in this Privacy Policy.

8.1.2 Service Providers: Third-party service providers who process personal data on our behalf under written data processing agreements that include appropriate safeguards, including: identity verification providers (Truiloo, Persona); blockchain analytics providers (Chainalysis, Elliptic); cloud hosting and infrastructure providers; payment processing and banking partners; customer support and communications platforms; professional advisors including lawyers, accountants, auditors, and consultants; and technology and software providers.

8.1.3 Regulatory and Law Enforcement Authorities: The Financial Services Authority of Saint Vincent and the Grenadines (FSA); the Financial Intelligence Unit (FIU); law enforcement agencies; courts and tribunals; and other governmental, regulatory, or public authorities, where required by Applicable Law, in response to a lawful request, or where we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

8.1.4 Business Counterparties: In connection with any merger, acquisition, financing, sale of assets, or similar corporate transaction, or in the event of insolvency, bankruptcy, or receivership, personal data may be transferred to prospective or actual counterparties, acquirers, or successors as part of the due diligence process or as business assets. We will require any such recipient to protect your personal data in a manner consistent with this Privacy Policy.

8.2 Safeguards. All third parties with whom we share personal data are contractually obligated through data processing agreements or equivalent arrangements to: (a) process personal data only on our documented instructions; (b) implement appropriate technical and organisational security measures; (c) maintain confidentiality; (d) not engage sub-processors without our authorisation; (e) assist us in responding to data subject requests; (f) delete or return personal data upon termination; and (g) submit to audits and inspections.

9. INTERNATIONAL DATA TRANSFERS

9.1 Transfer Jurisdictions. Your personal data may be transferred to, stored, and processed in countries outside of Saint Vincent and the Grenadines, including: Switzerland (where Maclear AG is located); the European Economic Area; the United States; and other jurisdictions where our service providers operate.

9.2 Transfer Safeguards. In accordance with our voluntary commitment to GDPR-equivalent standards, when we transfer personal data internationally, we implement appropriate safeguards to ensure that your personal data receives an adequate level of protection, including:

(a) transfers to jurisdictions that have been recognised by the European Commission as providing adequate data protection (such as Switzerland);

(b) use of Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to other jurisdictions;

(c) binding corporate rules for transfers within corporate groups;

(d) other lawful transfer mechanisms recognised under applicable data protection law.

9.3 Copies. You may request a copy of the safeguards we have implemented for international data transfers by contacting us

PART V – DATA SECURITY AND RETENTION

10. DATA SECURITY MEASURES

10.1 Security Programme. We have implemented a comprehensive information security programme with appropriate technical and organisational measures designed to protect your personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage, in compliance with section 11(6)(b) of the VABA.

10.2 Technical Safeguards. Our technical security measures include: encryption of personal data in transit using Transport Layer Security (TLS) and at rest using industry-standard AES-256 encryption; multi-factor authentication for Account access and administrative systems; firewall protection, intrusion detection, and intrusion prevention systems; network segmentation and access controls; regular vulnerability assessments and penetration testing; Smart Contract security audits by recognised providers (Certik, Cyberscope); secure software development practices; continuous security monitoring and logging; and redundant systems and disaster recovery capabilities.

10.3 Organisational Safeguards. Our organisational security measures include: role-based access controls limiting personnel access to personal data on a strict need-to-know basis; confidentiality agreements with all employees, contractors, and service providers; background screening of personnel with access to personal data; regular staff training on data protection, security awareness, and AML/CFT requirements; documented security policies and procedures; incident response and breach notification procedures; business continuity and disaster recovery planning; and regular internal and external security audits.

10.4 Security Limitations. While we employ robust security measures, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your personal data. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and relevant authorities without undue delay in accordance with our breach notification procedures and Applicable Law.

11. DATA RETENTION

11.1 Retention Principle. We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, to comply with our legal obligations, to resolve disputes, and to enforce our agreements.

11.2 Retention Schedule. The following retention periods apply:

(a) Account and Transaction Data: For the duration of your Account relationship and for a period of seven (7) years from the date on which the business relationship ends or the last transaction is completed, as required by Regulation 22(1) of the AML/CFT Regulations;

(b) Customer Due Diligence Records: For a period of at least seven (7) years from the date on which the business relationship ends or an occasional transaction is completed, as required by Regulation 22(1) of the AML/CFT Regulations;

(c) Transaction Records: For a period of at least seven (7) years from the date of the transaction, as required by Regulation 22(1) of the AML/CFT Regulations;

(d) Communication Records: For a period of three (3) years from the date of the communication, or longer if required for ongoing matters;

(e) Marketing Preferences: Until you withdraw your consent or unsubscribe from marketing communications;

(f) Technical and Usage Data: For a period of two (2) years from collection, or longer if required for security or fraud investigation purposes.

11.3 Extended Retention. Personal data may be retained for longer periods where: (a) required by Applicable Law; (b) necessary for the establishment, exercise, or defence of legal claims; (c) required for ongoing regulatory investigations or audits; (d) required for legitimate business purposes that cannot be achieved through anonymisation; or (e) subject to a legal hold in connection with actual or anticipated litigation.

11.4 Disposal. Upon expiry of the applicable retention period, personal data will be securely deleted or irreversibly anonymised using methods that prevent reconstruction or re-identification.

PART VI – YOUR RIGHTS

12. DATA SUBJECT RIGHTS

12.1 In accordance with our voluntary commitment to GDPR-equivalent standards, you have the following rights in relation to your personal data:

12.1.1 Right of Access: You have the right to obtain confirmation as to whether we are processing your personal data and, where we are, to obtain access to your personal data together with certain supplementary information about how we process it. This enables you to receive a copy of the personal data we hold about you and to verify that we are processing it lawfully.

12.1.2 Right to Rectification: You have the right to request correction of any personal data we hold about you that is inaccurate, out of date, or incomplete. This enables you to have any incomplete or inaccurate data corrected, though we may need to verify the accuracy of new data you provide.

12.1.3 Right to Erasure: You have the right to request deletion of your personal data in certain circumstances, including where: the data is no longer necessary for the purposes for which it was collected; you withdraw your consent (where processing was based on consent); you object to processing and there are no overriding legitimate grounds; the data has been unlawfully processed; or erasure is required to comply with a legal obligation. This right is subject to the exceptions and limitations set out in Clause 12.3.

12.1.4 Right to Restriction: You have the right to request that we restrict the processing of your personal data in certain circumstances, including where: you contest the accuracy of the data; the processing is unlawful but you do not want erasure; we no longer need the data but you require it for legal claims; or you have objected to processing pending verification of legitimate grounds.

12.1.5 Right to Data Portability: You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format (such as CSV or JSON), and to transmit that data to another controller without hindrance, where: the processing is based on your consent or on a contract; and the processing is carried out by automated means. This right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

12.1.6 Right to Object: You have the right to object to the processing of your personal data where we are relying on legitimate interests as the legal basis for processing. Upon receiving an objection, we will cease processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defence of legal claims. You have an absolute right to object to processing for direct marketing purposes at any time.

12.1.7 Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

12.1.8 Rights Related to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless the decision is: necessary for entering into or performance of a contract; authorised by law; or based on your explicit consent. We do not currently make decisions based solely on automated processing that produce legal or similarly significant effects.

12.2 Exercising Your Rights. To exercise any of these rights, please submit a written request to aleksandr.lang@8lends.io. We will respond to your request within thirty (30) days of receipt, or such longer period as may be required for complex requests, with notice to you of any extension. We may request additional information to verify your identity before processing your request. There is no fee for exercising your rights, except where requests are manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable administrative fee or refuse to act on the request.

12.3 Limitations. Please note that these rights are not absolute and may be limited by Applicable Law or where we have overriding legitimate interests. In particular: (a) we are required by Regulation 22 of the AML/CFT Regulations to retain Customer Due Diligence and transaction records for at least seven years, and erasure requests cannot override this legal obligation; (b) we may be prohibited from disclosing the existence of Suspicious Activity Reports or other regulatory communications; (c) we may retain data necessary for the establishment, exercise, or defence of legal claims; and (d) we may retain data necessary to protect against fraud or to comply with ongoing regulatory obligations.

13. MARKETING COMMUNICATIONS

13.1 Marketing Consent. We will only send you marketing communications if you have opted in to receive such communications or where we are permitted to do so by Applicable Law.

13.2 Opting Out. You may opt out of receiving marketing communications at any time by: (a) clicking the “unsubscribe” link in any marketing email; (b) adjusting your communication preferences in your Account settings; or (c) contacting us at hello@8lends.io. We will process your opt-out request without undue delay.

13.3 Service Communications. Please note that even if you opt out of marketing communications, we will continue to send you service-related communications necessary for the operation of your Account, including transaction confirmations, security alerts, policy updates, and other important notices.

PART VII – COOKIES AND TRACKING TECHNOLOGIES

14. COOKIES

14.1 Use of Cookies. The Platform uses cookies and similar tracking technologies to enhance your experience, analyse usage, provide functionality, and for other purposes described in this section.

14.2 Types of Cookies. We use the following categories of cookies:

(a) Strictly Necessary Cookies: Essential for the operation of the Platform, including session management, security, load balancing, and authentication. These cookies cannot be disabled without affecting Platform functionality;

(b) Performance Cookies: Help us understand how visitors interact with the Platform by collecting and reporting information anonymously, including page views, traffic sources, and error messages;

(c) Functional Cookies: Enable enhanced functionality and personalisation, such as remembering your preferences, language settings, and login details;

(d) Targeting Cookies: May be used to deliver advertisements more relevant to you and your interests, and to measure the effectiveness of advertising campaigns (if applicable).

14.3 Cookie Management. You can manage cookie preferences through your browser settings. Most browsers allow you to refuse all or some cookies, or to alert you when cookies are being set. Please note that disabling strictly necessary cookies may prevent you from using certain features of the Platform.

PART VIII – CHILDREN’S PRIVACY

15. PROTECTION OF MINORS

15.1 Age Restriction. The Platform and Services are not intended for, and we do not knowingly collect personal data from, individuals under the age of eighteen (18) years. You must be at least 18 years of age to use the Platform.

15.2 Deletion. If we become aware that we have collected personal data from a child under 18 without verification of parental consent or other lawful basis, we will take steps to delete that information promptly.

15.3 Reporting. If you believe that we may have collected personal data from a child under 18, please contact us immediately at aleksandr.lang@8lends.io.

PART IX – CHANGES TO THIS POLICY

16. POLICY UPDATES

16.1 Revisions. We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The “Effective Date” at the top of this Privacy Policy indicates when it was last revised.

16.2 Notification. We will notify you of material changes by email to the address associated with your Account and/or by posting a prominent notice on the Platform at least fourteen (14) days prior to the effective date of the changes. Material changes include changes to the categories of personal data collected, the purposes of processing, third-party recipients, international transfers, or your rights.

16.3 Acceptance. Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree to the revised Privacy Policy, you must discontinue use of the Platform and close your Account.

PART X – CONTACT INFORMATION

17. HOW TO CONTACT US

17.1 If you have any questions, comments, concerns, or complaints about this Privacy Policy or our data processing practices, please contact us:

Alpha Systems LLC

Teichgässlein 9,
4058 Basel,

Switzerland

General Inquiries: hello@8lends.io

Data Protection Officer: aleksandr.lang@8lends.io

Telegram Support: @daniel_8lends, @ceviz1399, @henry_8lends

17.2 Response Time. We endeavour to respond to all privacy-related inquiries within thirty (30) days of receipt. If we require additional time to respond, we will notify you of the expected timeframe.

— END OF PRIVACY POLICY —