As used in this Privacy and Data Protection Policy:

• (a)

  "Customer" means an individual who (i) interacts with us, (ii) submits any information to us; (iii) has contacted us through any means to find out more about any Services, or (iv) may or has, entered into a contract with us for the supply or any Services.

• (b)

  "Data Protection Laws" means any applicable law relating to the protection, privacy and security, collection, use, disclosure and/or processing of sensitive or other personally identifiable information, including the Personal Data Protection Act 2012 of Singapore.

• (c)

  "Personal Data" means data, whether true or not, about an individual who can be identified from that data or from that data and other information to which the organisation has or is likely to have access.

• (d)

  "Representatives" means, in relation to any person, its directors, employees, professional advisers, auditors and authorised representatives of that person.

Depending on the nature of your interaction with us, some examples of Personal Data which we may collect from you include:

• (a)

  name;

• (b)

  national identification numbers (including NRIC, FIN, work permit, passport, and birth certificate numbers);

• (c)

  residential address;

• (d)

  email address;

• (e)

  telephone number;

• (f)

  date of birth; and/or

• (g)

  employment information and financial information.

For the avoidance of doubt, if Data Protection Laws permit us to collect, use, disclose and/or process your Personal Data without your consent, such legal basis for collecting, using, disclosing and/or processing your Personal Data shall continue to be effective.

Generally, we collect your Personal Data in the following ways:

• (a)

  when you register for and/or use any of our Services or in connection with any other activities, features, resources, surveys or contests on our websites;

• (b)

  when you submit forms (online or otherwise) relating to any Services or submit any online queries;

• (c)

  when you interact with our staff, including customer service officers, for example, via telephone calls (which may be recorded), letters, fax, face-to-face meetings, social media platforms and emails;

• (d)

  when you request that we contact you or request that you be included in an email or other mailing list;

• (e)

  when you respond to our promotions, initiatives or to any request for additional Personal Data;

• (f)

  when we receive references from business partners and third parties, for example, where you have been referred by them;

• (g)

  when your images or conversations are captured by us via CCTV cameras while you are within our property and/or premises, or via photographs or videos taken by us or our representatives when you attend our events;

• (h)

  when you are contacted by, and respond to, our marketing representatives and customer service officers;

• (i)

  when we seek information about you and receive your Personal Data in connection with your relationship with us, including for our Services or job applications, for example, from our affiliates, business partners, public agencies, your ex-employer, referral intermediaries and the relevant authorities; and/or

• (j)

  when you submit your Personal Data to us for any other reason.

When you browse our website without logging in, you generally do so anonymously. We do not, at our website, automatically collect Personal Data unless you provide such information to us.

If you provide us with any Personal Data relating to a third party, by submitting such information to us, you represent and warrant that the collection, use, disclosure and/or processing of that Personal Data by us for the purposes set out below, is lawful, and you have obtained the consent of the third party to provide us with their Personal Data.

In general, we collect, use, disclose and/or process your Personal Data for the following purposes:

• (a)

  providing the Services to you and performing our obligations in the course of or in connection with our provision of the Services;

• (b)

  verifying your identity;

• (c)

  responding to, handling, and processing queries, requests, applications, complaints, and feedback from you;

• (d)

  administering and/or managing your relationship with us and your use of the Services;

• (e)

  maintaining your account with us;

• (f)

  processing payment or credit transactions;

• (g)

  organising, facilitating, and administering surveys, promotional events, contests, competitions and/or other features;

• (h)

  complying with any contractual terms and conditions to which we are bound by, anti-money laundering and countering the financing of terrorism laws and regulations, any other applicable laws, regulations, codes of practice, guidelines, or rules, or to assist in law enforcement and investigations conducted by any governmental and/or regulatory authority;

• (i)

  notifying you of any information or updates pertaining to your orders and/or any service issues and unusual account actions;

• (j)

  handling any disputes, conducting and facilitating any investigations and proceedings;

• (k)

  commencing, responding to or acting in connection with any claims, actions or proceedings (including drafting and reviewing documents, transaction documentation, obtaining legal advice, and facilitating dispute resolution);

• (l)

  sending you periodic emails, including but not limited to news, updates and related information on the Services and Penguin Securities Group;

• (m)

  communicating with you changes and developments to our policies, terms and conditions and other administrative information;

• (n)

  preventing, detecting and investigating crime (including fraud, money-laundering and terrorism financing) and managing the safety and security of our premises and Services (including carrying out CCTV surveillance and conducting security clearances);

• (o)

  performing credit analysis;

• (p)

  conducting audits, reviews and analysis of our internal processes, action planning and managing commercial risks;

• (q)

  improving or enhancing any Services, or developing new products and/or services to be provided by us;

• (r)

  improving or enhancing the methods or processes, or developing new methods or processes, for the operations of us;

• (s)

  learning and understanding the behaviour and preferences of you or another individual in relation to the Services;

• (t)

  identifying any other Services provided by us that may be suitable for you or another individual, or personalising or customising any such Services for you or another individual;

• (u)

  any other purposes for which you have provided the information; and/or

• (v)

  for purposes which are reasonably related to the aforesaid.

In addition, we collect, use, disclose and/or process your Personal Data for the following purposes if you submit an application to us as a candidate for an employment or representative position:

• (a)

  conducting interviews;

• (b)

  processing your application which includes pre-recruitment checks involving your qualifications and facilitating interviews;

• (c)

  providing or obtaining employee references and for background screening;

• (d)

  assessing your suitability for the position applied for;

• (e)

  processing staff referrals;

• (f)

  entering into an employment relationship with you or appointing you to any office;

• (g)

  managing or terminating the employment relationship with or appointing you; and/or

• (h)

  for purposes which are reasonably related to the aforesaid.

Furthermore, and without prejudice to the generality of the foregoing, and where permitted under Data Protection Laws, we may also collect, use, disclose and/or process your Personal Data for any of the following purposes ("Additional Purposes"):

• (a)

  providing or marketing the Services and benefits to you, including promotions, loyalty and reward programmes;

• (b)

  matching Personal Data with other data collected for other purposes and from other sources (including third parties) in connection with the customisation, provision or offering of the Services, marketing or promotions, whether by us or other third parties;

• (c)

  administering contests and competitions, and personalising your experience at our touchpoints;

• (d)

  sending you details of the Services, special offers and rewards, either to our customers generally, or which we have identified may be of interest to you; and/or

• (e)

  conducting research, analysis, and development activities (including data analytics, surveys, product and service development and/or profiling), understanding and analysing customer behaviour, location, preferences and demographics for us to offer you the Services as well as special offers and marketing programmes which may be relevant to your preferences and profile.

If you have provided us with your Singapore telephone number(s) and have indicated that you consent to receiving marketing or promotional information via your Singapore telephone number(s), then from time to time, we may contact you using such Singapore telephone number(s) (including via voice calls, text, fax, or other means) with information about the Services.

In relation to particular Services or in your interactions with us, we may also have specifically notified you of other purposes for which we collect, use, disclose and/or process your Personal Data. If so, we will collect, use, disclose and/or process your Personal Data for these additional purposes as well, unless we have specifically notified you otherwise.

The purposes listed in the above clauses are not exhaustive and we may collect and/or use Personal Data for additional purposes which you will be notified of, in accordance with the applicable terms and conditions. Further, these purposes may continue to apply even in situations where your relationship with us has been terminated or altered in any way, for a reasonable period thereafter (including, where applicable, a period to enable us to enforce our rights under a contract with you).

We may engage or use any service provider (including but not limited to know-your-client solution provider(s)) for the processing of Personal Data or permit any authorised third-party to process Personal Data. If we do so, we will ensure that, prior to the processing, we will enter into a written agreement with the service provider or authorised third-party to specify the processing activities and impose on the service provider or authorised third-party the same terms as those imposed on us in this Privacy and Data Protection Policy.

As outlined in Paragraph 3.1 of this Privacy and Data Protection Policy, our data-sharing practices comply with Singapore’s PDPA. We may share personal data legally if we have prior informed consent from you or if an exception applies, such as for investigations or legal proceedings. Additionally, we may rely on legitimate interests as a legal basis for processing personal data, provided such processing is necessary and does not unduly impact individual rights and freedoms.

Subject to the provisions of any applicable law, you hereby agree, acknowledge and consent to the collection, use, and disclosure of your Personal Data, which may be disclosed for any of the purposes listed above in this Privacy and Data Protection Policy (as applicable) to the following entities or parties, regardless of whether they are located in Singapore or otherwise, on a need-to-know basis:

• (a)

  vendors, third-party service providers, agents and other organisations we have engaged to perform any of the functions in connection with any of the purposes listed above in this Privacy and Data Protection Policy;

• (b)

  relevant government ministries, regulators, statutory boards or authorities or law enforcement agencies to comply with any laws, rules, guidelines and regulations or schemes imposed by any governmental authority;

• (c)

  amongst our subsidiaries, affiliates and related corporations (including their respective staff);

• (d)

  contractors, agents, service providers and other third parties we use to support our business. These include but are not limited to those which provide administrative or other services to us such as mailing houses, telecommunication companies, information technology companies and data centres;

• (e)

  our corporate clients;

• (f)

  any business partner, investor, assignee or transferee (actual or prospective) to facilitate business asset transactions (which may extend to any merger, acquisition or asset sale);

• (g)

  external banks, credit card companies, other financial institutions and their respective service providers;

• (h)

  our professional advisers such as consultants, auditors, and lawyers;

• (i)

  specific business partner(s) for the purpose of providing you with the services offered by the business partner(s), who is a third-party service provider, solely for the purpose of delivering the services requested by you; and/or

(j)

any other party to whom you authorise us to disclose your Personal Data to.

We may also share information about you in aggregate or anonymised form, for example, generic aggregated demographic information regarding visitors and users, with the abovementioned entities or parties (e.g., our business partners, affiliates, and advertisers).

We may, from time to time, introduce you to third-party products and services where relevant. By proceeding with such introductions, you consent to the sharing of necessary personal information with the third party solely to facilitate your engagement with their products or services. We shall ensure that any personal data shared is limited to what is necessary for the introduction.

As outlined in Paragraph 4.1 of our Privacy and Data Protection Policy, personal data may be shared with selected, trusted third parties providing essential services on a need-to-know basis. List of engaged third parties will be provided to you upon request.

In certain cases, we may engage sub-processors to facilitate business operations or meet regulatory requirements. These sub-processors are contractually bound to implement appropriate safeguards to protect personal data in accordance with PDPA.

The consent that you provide for the collection, use, disclosure and/or processing of your Personal Data will remain valid until such time it is being withdrawn by you in writing. You may withdraw your consent and request us to stop collecting, using, disclosing and/or processing your Personal Data for any or all of the purposes listed above by submitting your request in writing or via email to us using the contact details set out at Paragraph 12 below.

Upon receipt of your written request to withdraw your consent, we may require reasonable time (depending on the complexity of the request and its impact on our relationship with you) for your request to be processed and for us to notify you of the consequences of us acceding to the same, including any legal consequences which may affect your rights and liabilities to us. In general, we will seek to process your request within ten (10) business days of receiving it.

Whilst we respect your decision to withdraw your consent, please note that if you withdraw your consent to any or all use of your Personal Data, depending on the nature of your request, we may not be in a position to continue to provide its Services to you, or administer any contractual relationship in place, which in turn may also result in the termination of any agreements with us, and your being in breach of your contractual obligations or undertakings. Our legal rights and remedies in such event are expressly reserved.

Please also note that withdrawing consent does not affect our right to continue to collect, use, disclose and/or process Personal Data where such collection, use, disclosure and/or processing without consent is permitted or required under applicable laws.

As outlined in Paragraph 5.1, you may withdraw consent for data sharing by contacting us. Withdrawing consent does not affect basic service usage but may impact specific service provision where such consent is essential for compliance or service delivery. Withdrawing consent for marketing will not affect your ability to continue using our services.

If you wish to make (a) a request for access to a copy of the Personal Data which we hold about you or information about the ways in which we use or disclose your Personal Data (“access request”), or (b) a request to correct or update any of your Personal Data which we hold about you (“correction request”), you may submit your request in writing or via email to us using the contact details set out at Paragraph 12 below.

Please note that a reasonable fee may be charged for an access request. If so, we will inform you of the fee before processing your request.

We will review and respond to your request as soon as reasonably possible. We may request you to provide supporting information or documentation to corroborate your request. In general, our response will be arranged as soonest as possible within 7 days. Should we not be able to respond to your request within thirty (30) days after receiving your request, we will inform you in writing within thirty (30) days of the time by which we will be able to respond to your request. If we are unable to provide you with any Personal Data or to make a correction requested by you, we shall generally inform you of the reasons why we are unable to do so (except where we are not required to do so under Data Protection Laws).

If we have made a correction to the Personal Data pursuant to your correct request, you agree that we may send the corrected personal data only to third parties to which the Personal Data was disclosed by us within one (1) year before the date of correction.

You may request a temporary restriction on the processing of your personal data by notifying us in advance, under specific circumstances such as awaiting verification of data accuracy or lodging an objection to processing.

We generally rely on Personal Data provided by you (or your authorised representative). To ensure that your Personal Data is current, complete and accurate, please update us if there are changes to your Personal Data in writing or via email to us using the contact details set out at Paragraph 12 below. For certain categories of Personal Data, you may also update your Personal Data directly via the website or our Services.

We are committed to the security of your Personal Data and implement appropriate data collection, storage and processing practices and security measures to protect your Personal Data. You should be aware, however, that no method of transmission over the internet or method of electronic storage is completely secure. While security cannot be guaranteed and any transmission remains at your own risk, we strive to protect the security of your information and are constantly reviewing and enhancing our information security measures.

We may retain your Personal Data and financial data for as long as it is necessary to fulfil its original purpose for which it was collected, or as required or permitted by applicable laws or regulatory obligations (generally 5 years post-service termination).

We will cease to retain your Personal Data or remove the means by which the data can be associated with you, as soon as it is reasonable to assume that such retention no longer serves the purpose for which the Personal Data was collected and is no longer necessary for legal or business purposes.

According to Paragraph 9.2, personal data is securely deleted or anonymized once it is no longer required for its stated purposes, legal or compliance obligations. Deletion is initiated within 5 years following service termination. Some data may be retained beyond the standard period in cases where required by regulatory audits, dispute resolutions, or legal and compliance obligations.

Where we transfer your Personal Data to countries outside of Singapore or otherwise, we will take steps to ensure such transfer is in accordance with Data Protection Laws, including ensuring that organisations provide a standard of protection to Personal Data so transferred that is comparable to protection required under the Data Protection Laws. Such transfers will be governed by contractual obligations between us and the international data processor to protect your legal rights and interests. You hereby consent to such transfers of your Personal Data outside Singapore or otherwise.

Penguin Securities has in place various security procedures, technical and organisational measures to safeguard your Personal Data. To protect against external attacks, we have in place robust firewalls and security measures to detect, isolate and prevent against hacking and other malware intrusions to our IT systems.

Further, Penguin Securities employees also undergo periodic security awareness programmes to create awareness in information security so that employees are able to identify and respond appropriately to security risks.

We use all reasonable efforts to safeguard your Personal Data. However, you should be aware that the use of the Internet is not entirely secure and for this reason we cannot guarantee the security or integrity of any Personal Data which is transferred from you or to you via the Internet. You should also be mindful that you are responsible for keeping your access rights confidential and secure at all times.

The website or Services may from time to time contain links to third-party websites, services or other content that are not owned or controlled by us ("Third-Party Sites"). You acknowledge that Third Party Sites usually have their own terms and conditions (including privacy policies) which we do not control and will govern your rights and obligations with respect to the access and/or use of those websites, services or other content contained therein. It is your responsibility to read all such terms and conditions of any Third-Party Sites that you visit.

If you: (a) have any questions or feedback relating to your Personal Data or about this Privacy and Data Protection Policy; (b) would like to withdraw your consent to any use of your Personal Data as set out in this Privacy and Data Protection Policy; or (c) would like to obtain access and make correction to your Personal Data records, please contact us as follows:

Subject/Reference: Privacy Policy Attention: Data Protection Officer Email: support@penguinsecurities.sg

Please note that if your Personal Data has been provided to us by a third party, you should contact that organisation or individual to make such queries, complaints, and access and correction requests to us on your behalf.

This Privacy and Data Protection Policy shall be governed by and in accordance with the laws of Singapore.

This Privacy and Data Protection Policy applies in conjunction with, and not in substitution of, any other notices, contractual clauses and consent clauses that apply in relation to the collection, use, disclosure and/or processing of your Personal Data by us.

We shall have the discretion to update this Privacy and Data Protection Policy at any time without prior notice. You may determine if any such revision has taken place by referring to the date on which this Privacy and Data Protection Policy was last updated. You acknowledge and agree that it is your responsibility to review this Privacy and Data Protection Policy periodically and become aware of modifications. Your continued interaction with us or use of the Services shall constitute your acknowledgement and acceptance of such changes.

We are committed to keeping you informed about updates to our Privacy and Data Protection Policy. Any significant changes affecting personal data practices will be communicated directly via email, or other method of electronic notifications. These updates will include details on modifications to data-sharing practices, international transfers, retention policies, and client rights to ensure transparency and compliance with regulatory requirements.

Our website and/or our communications with you may contain links to other websites. Please note that the policy does not cover any external third party websites that may be accessed through links provided on our website and/or through our communications with you. We are not responsible for the privacy practices of such other websites and advise you to read the privacy statements of each website you visit which collects Personal Data.