Privacy Policy

PRIVACY POLICY

1. Who we are

Jet Bank is the controller of your personal data in accordance with Law No. 124/2024 "On the Protection of Personal Data".

We act as data controllers when you:

• enter a business relationship with us;
• use our banking products and services;
• access or use our website (https://jet.bank);
• use the Jet Bank mobile application.

Corporate details

• NUIS: M51923013I
• Registered address: “Skerdilajd Llagami” Street, Lake Park Central (Mak Albania Hotel), Building D, 4th Floor, Tirana — Republic of Albania

Contact details

• Telephone: +3554450777
• Email: info@jet-bank.com

2. What this Privacy Policy covers

This Privacy Policy explains:

• how we collect and process personal data;
• the principles that govern our processing activities; and
• the measures we apply to comply with applicable data protection laws.

We process personal data in accordance with:

• Law No. 124/2024 "On the Protection of Personal Data"; and
• Regulation (EU) 2016/679 (GDPR), where applicable.

3. The principles we follow

We process personal data in line with the following principles:

Lawfulness, fairness and transparency

We process personal data lawfully, fairly and in a transparent manner.

Purpose limitation

We collect personal data for specific, explicit and lawful purposes and do not process it in a way that is incompatible with those purposes.

Data minimization

We only process personal data that is adequate, relevant and limited to what is necessary for the purpose concerned.

Accuracy

We take reasonable steps to ensure personal data is accurate and kept up to date. Inaccurate or incomplete data is corrected or deleted without undue delay.

Storage limitation

We retain personal data only for as long as necessary for the purposes for which it was collected, unless longer retention is required by law or permitted for archiving, research or statistical purposes subject to appropriate safety measures.

Integrity and confidentiality

We apply appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction or damage.

Accountability

We are responsible for complying with these principles and are able to demonstrate such compliance.

4. How we collect and use your personal data

When you use our website

When you access the Jet Bank website (https://jet.bank) and complete online forms — including:

• Careers / Job applications
• Contact Us
• Credit applications
• Newsletter subscriptions
• Other service-related sections

you may be asked to provide personal data. We collect this data directly from you when you submit it.

Who this applies to

We process personal data relating to:

• website visitors;
• clients and prospective clients;
• job applicants;
• current and former employees;
• individuals submitting inquiries, applications or other requests.

Why we process your data

We use personal data to:

• provide and administer our banking products and services;
• respond to your requests and inquiries;
• manage and maintain our relationship with you;
• operate and improve our website and online services.

Legal bases for processing

We process personal data only where a valid legal basis applies, including:

• performance of a contract or steps prior to entering into a contract;
• compliance with legal and regulatory obligations;
• legitimate interests pursued by the Bank, where these do not override your rights;
• your consent, where required (for example, for newsletters or specific marketing communications).

Processing is carried out in accordance with Law No. 124/2024 and, where applicable, GDPR.

Accuracy of information

You are responsible for ensuring that the information you provide is complete, accurate and up to date.

Submission of forms

By submitting information through our website, you acknowledge that Jet Bank, as data controller, and authorized persons acting on its behalf, may process the information you provide for the purposes described in this Privacy Policy and under the applicable legal bases.

Security

We apply appropriate technical and organizational measures to protect personal data and maintain secure systems for its storage and processing.

Scope of this section

This section applies only to the Jet Bank website (https://jet.bank). It does not apply to third-party websites that may be accessed through external links.

Acceptance and updates

By accessing our website, you confirm that you have read and accepted the applicable terms of use. This Privacy Policy should be read together with the Bank's Working Conditions and website terms. We may update this Policy from time to time.

5. When and how we process your personal data

We process your personal data when you interact with us, including when you:

• use the Jet Bank mobile application;
• apply for employment;
• apply for or use any of our products or services (accounts, deposits, loans, e-banking, bank cards, etc.);
• browse or use our website, including through cookies;
• contact us by email, telephone or other communication channels.

How we use the data you provide

Personal data provided by you is used only to:

• provide the requested service;
• administer the relevant product;
• respond to your request;
• manage your relationship with the Bank.

We share personal data with processors, sub-processors or third parties only where necessary for these purposes and always in compliance with applicable law.

Legal bases for processing

We process personal data only where at least one legal basis applies under Law No. 124/2024 and, where applicable, GDPR.

Consent

We process your personal data where you have given consent for one or more specific purposes.

• Consent may be withdrawn at any time, free of charge.
• Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Consent means a freely given, specific, informed and unambiguous indication of your wishes, expressed through a clear affirmative action.

Performance of a contract

We process personal data where it is necessary to:

• perform a contract to which you are a party; or
• take steps at your request before entering into a contract.

This includes processing required to provide financial services, execute banking transactions and deliver our products.

Compliance with a legal obligation

We process personal data where required to comply with legal and regulatory obligations, including:

• anti-money laundering requirements;
• tax and reporting obligations;
• fraud prevention and identity verification;
• creditworthiness assessments (where applicable);
• regulatory risk management obligations.

Vital interests

We may process personal data where necessary to protect your vital interests or those of another natural person.

Public interest or official authority

Where applicable, we may process personal data where necessary for tasks carried out in the public interest or in the exercise of official authority.

Legitimate interests

We may process personal data where necessary for legitimate interests pursued by the Bank or a third party, provided these do not override your fundamental rights and freedoms.

Examples include:

• ensuring platform and device security;
• preventing fraud and criminal activity;
• improving and developing products and services;
• managing operational risk.

6. Who we process data about

We process personal data relating to different categories of individuals, including:

• clients;
• employees;
• job applicants;
• suppliers;
• website visitors;
• other individuals interacting with the Bank.

Processing is carried out for the purpose of providing services and managing relationships connected to those services.

Website usage data

When you access our website, certain technical data may be collected:

• data generated during normal website operation;
• data processed through internet communication protocols;
• data processed for the duration of your connection.

Our website may contain references to external websites. We are not responsible for the privacy practices of third-party websites. You should review their privacy policies separately.

Electronic banking data

Personal data relating to electronic banking services:

• is stored in systems applying high security standards;
• is processed exclusively to provide and operate electronic banking services;
• is accessible only to the user and authorized persons.

Such data is not collected for the purpose of directly identifying individuals. However, due to its nature or in combination with other information, identification may be possible.

Data you provide voluntarily

You may voluntarily provide personal data through:

• optional online forms;
• emails sent to addresses published on our website.

This may include:

• your email address (necessary to respond to your request);
• any additional personal data contained in your communication.

We apply high security standards when storing and processing such data in accordance with Law No. 124/2024 and applicable information security requirements.

Service-specific privacy notices

For certain services offered on our website or platforms, we may provide additional summaries or notices explaining how personal data is processed in that specific context. These notices supplement this Privacy Policy.

Recruitment and job applicants

If you apply for employment with Jet Bank, we process your personal data for:

• managing recruitment and selection processes;
• monitoring and analyzing recruitment statistics.

Where we intend to share your data with third parties (for example, to obtain references), we will inform you in advance, unless disclosure is required by law.

Retention of applicant data

If you are not selected:

• your personal data will be retained for the period required by applicable legislation;
• after that period, it will be securely deleted or destroyed.

Only anonymized data may be retained for statistical purposes.

Employee data

For individuals employed by the Bank, personal data is:

• processed only to the extent necessary for employment-related purposes;
• stored securely in both physical and electronic systems;
• retained in accordance with applicable legislation and internal policies.

Upon termination of employment:

• an employment file is maintained for the relevant employment period;
• data is retained securely until the applicable legal retention period expires.

7. Direct marketing

When we send marketing communications

We will only use your personal data to send advertising or commercial communications about our products or services where we have a valid legal basis to do so. Where required by law, this will be based on your prior consent.

How consent works

If you provide consent through the application or other authorized channel, you acknowledge and agree that we may process your personal data for direct marketing purposes in line with the consent you have given.

How to withdraw consent

You may withdraw your marketing consent at any time, free of charge. You can do this by:

• using the unsubscribe option available in the relevant communication (for example, through a dedicated link, where applicable); or
• by contacting the Virtual Branch or by submitting a written request to the Bank.

Effect of withdrawal

Withdrawal of consent does not affect the lawfulness of any processing carried out before the consent was withdrawn.

8. Categories of personal data we process

Depending on the purpose and context of processing, we may process the following categories of personal data.

Identity and demographic data

• First, middle and last name
• Father's name
• Nationality
• Date and place of birth
• Gender
• Photograph
• Identification document or passport details (personal identification number, document type, issuing authority, issue date, expiry date)

Contact and address data

• Postal address (country, region, postal code, city, street address)
• Personal email address
• Mobile and telephone numbers
• Work contact details (where applicable)

Family and personal status data

• Marital status
• Family composition (where required by law)

Education and employment data

• Education background
• Profession, position and workplace
• Employment status
• Employment details of close relatives, where required by law

Authentication and access data

• Signature specimen
• Registration and user account data in Jet.Bank
• Powers of attorney and authorization agreements
• Information regarding third-party beneficiaries

Regulatory, tax and compliance data

• FATCA/CRS status
• Tax Identification Number (TIN)
• Politically Exposed Person (PEP) status
• Tax-related information

Financial profile and credit data

• Financial status and income-related information
• Credit assessment documentation and credit history
• Information about relationships with other banks or financial institutions
• Business documentation for self-employed individuals

Account, card and transaction data

• Bank account details
• Debit and credit card details
• Transaction history and transaction details
• Merchant-related data linked to card payments
• Data arising from contractual performance
• Data relating to the use of our products and services

Collateral and ownership data

• Property ownership documents
• Valuation reports
• Collateral insurance
• Construction-related documentation

Website, device and location data

• Cookie-related data
• Device identifiers
• IP address
• Technical data related to devices and technologies used to access our services
• Location data, where applicable and permitted

Automated processing

We may use automated processing for purposes such as:

• verifying individuals entering Bank premises for security purposes;
• identifying suspicious transactions, fraud risks and AML-related concerns.

We do not rely solely on automated decision-making for decisions that produce legal or similarly significant effects. Relevant decisions involve authorised and responsible staff in accordance with applicable legislation.

9. Special categories of personal data and security records

Health data

Sensitive health data may be processed where required in the context of:

• employment relationships; or
• social security and social protection obligations,

in accordance with applicable legislation.

Biometric authentication

Jet Bank does not collect or store biometric data. Biometric authentication (such as fingerprint or facial recognition) may be used to access the mobile application or authorize transactions where supported by your device.

• Biometric data is processed and stored by your device operating system, not by the Bank.
• The Bank does not store biometric templates or identifiers.
• You may enable or disable biometric authentication at any time via your device settings.

CCTV recordings

We may process CCTV images captured in and around Bank premises and 24/7 service areas for security and safety purposes, in accordance with applicable law.

Audio recordings (interviews)

Audio recordings may be made during interviews conducted within Bank premises, where applicable and in line with the legal framework.

Telephone call recordings

Telephone conversations may be recorded for:

• security purposes;
• evidentiary verification of contractual requests and instructions;
• prevention and detection of fraudulent activity.

Recordings are retained only for as long as necessary to meet these purposes, in accordance with applicable legislation and internal retention policies.

‍
10. How we process personal data

We process personal data using:

• electronic means, including information systems and digital platforms;
• manual means, including paper-based records.

All processing is carried out in compliance with:

• Law No. 124/2024 "On the Protection of Personal Data"; and
• applicable implementing acts and security requirements.

We apply appropriate technical and organizational measures to ensure the confidentiality, integrity and security of personal data.

11. How long we keep your personal data

General rule

We retain personal data in secure systems and premises for the period required by applicable legislation and relevant regulatory acts.

After the applicable retention period expires:

• electronic data is securely deleted;
• physical records are securely destroyed,

unless retention is required by law, by a competent authority, or where a different retention period expressly applies.

Standard retention period

Unless specific legislation provides otherwise, personal data processed by Jet Bank is retained for ten (10) years following:

• termination of the financial relationship; or
• completion of a one-off transaction.

Retention variations

Retention periods may vary depending on:

• the category of personal data;
• the purpose of processing;
• legal or regulatory obligations.

In all cases, we retain personal data only for as long as necessary to:

• fulfil legal, contractual and regulatory obligations; and
• achieve the purpose for which the data was collected.

12. Sharing your personal data

Processors and service providers

To provide banking and financial services, we may share personal data with service providers who process data on our behalf. These providers act as "processors" under applicable data-protection legislation and process personal data strictly:

• under contractual arrangements;
• in accordance with our instructions;
• subject to appropriate technical and organizational security measures;
• in compliance with applicable data-protection laws.

Processors may include providers supporting:

• card production and personalization;
• payment processing and transaction services;
• IT infrastructure and technology services;
• debt collection services;
• operational and support functions necessary for the delivery of banking services.

Group entities and partners

We may share personal data with:

• other affiliated entities;
• partners involved in the provision of services,

where such sharing is necessary and permitted under applicable law.

Transfers outside the Republic of Albania

Where necessary for the provision of services or compliance with legal obligations, personal data may be transferred within or outside the Republic of Albania. In such cases, we ensure that:

• appropriate safeguards are in place;
• adequate security measures are applied;
• transfers comply with applicable legal requirements.

Authorities and legally authorized recipients

We may disclose personal data to competent authorities or other recipients where required or permitted by law, including but not limited to:

• supervisory and regulatory authorities;
• the Bank of Albania;
• tax authorities;
• the Financial Intelligence Agency;
• correspondent banks;
• law enforcement authorities;
• courts or authorized representatives;
• joint account holders, co-debtors, guarantors or other persons legally connected to the service.

Such disclosures are made strictly in accordance with applicable legislation.

13. Your right of access

How to request access

You have the right to request confirmation as to whether we process personal data relating to you. You may exercise this right by submitting a formal request to the Bank in accordance with our applicable procedures.

In line with Law No. 124/2024, we will:

• provide the requested information; or
• explain the reasons why the information cannot be disclosed,

within thirty (30) days from the date we receive your request.

What information you can receive

If we process your personal data, you may receive information about:

• the purposes of processing;
• the categories of personal data concerned;
• the recipients or categories of recipients to whom the data may be disclosed;
• whether providing the data is mandatory or voluntary;
• a description of the personal data processed and, where possible, a comprehensible copy of that data.

Identity verification

To exercise your right of access or any other rights under Law No. 124/2024, you may be required to:

• submit a formal written request; and
• provide valid identification documents to verify your identity.

This ensures that personal data is disclosed only to authorized individuals.

14. Your rights

If we process your personal data, you have rights under Law No. 124/2024 "On the Protection of Personal Data". You may exercise these rights by submitting a request to the Bank in accordance with our procedures.

Right to be informed

You have the right to receive information about how your personal data is processed. This information must be provided in a clear, transparent and easily understandable form.

Right of access

You have the right to:

• confirm whether we process personal data relating to you;
• obtain access to that data;
• receive information about the purposes, categories and recipients of the data.

Right to rectification

You have the right to request correction of inaccurate or incomplete personal data relating to you.

Right to erasure

Where permitted by law, you may request deletion of your personal data. Requests are handled as soon as possible and no later than thirty (30) days from receipt, unless a legal obligation requires continued retention.

Right to restriction of processing

You may request restriction of processing where the legal conditions are met, including in cases provided under applicable legislation.

Right to object

You may object to the processing of your personal data on grounds relating to your situation, where permitted by law.

Right not to be subject to automated decision-making

You have the right not to be subject to a decision based solely on automated processing, including profiling, where such decision produces legal or similarly significant effects.

Right to data portability

Where applicable, you may request to receive your personal data in a structured, commonly used and machine-readable format and transmit it to another controller.

Right to lodge a complaint

If you believe that the processing of your personal data infringes applicable law, you have the right to lodge a complaint with the Commissioner for the Right to Information and Personal Data Protection. This right is without prejudice to any other administrative or judicial remedy available under law.

15. How we protect your personal data

We process personal data to carry out our activities and legal obligations in accordance with applicable legislation and internal regulations. We recognize that information is a critical asset and apply appropriate safeguards to protect it against:

• unauthorized access;
• alteration;
• disclosure;
• loss or destruction, whether accidental or intentional.

Our security approach

We apply a risk-based approach to information security. This includes:

• identifying and assessing security risks;
• implementing appropriate physical, technical and organizational safeguards;
• taking into account technological developments and implementation costs;
• ensuring a level of security proportionate to the nature of the data and the potential impact of a breach.

Technical and organizational measures

Security measures may include, where appropriate:

• advanced security technologies and monitoring tools;
• encryption;
• role-based access controls and least-privilege principles;
• regular security testing and assessments.

Where third-party service providers process personal data on our behalf, we require them to implement appropriate security standards. Service providers involved in relevant services are expected to maintain recognised information security certifications, such as ISO/IEC 27001 or equivalent standards.

Confidentiality obligations

All Bank employees are bound by confidentiality obligations. Employees:

• may access personal data only as necessary for their professional responsibilities;
• may disclose information only to authorized persons or competent authorities, where permitted or required by law.

The Bank:

• conducts integrity and suitability assessments prior to employment;
• monitors compliance with information security obligations;
• requires employees to sign confidentiality declarations, which remain binding even after termination of employment and may include civil and criminal liability provisions.

16. How to contact us

If you have questions about this Privacy Policy or wish to exercise your data protection rights, you may contact us through:

• Email: dpo@jet-bank.com
• Post: Jet Bank headquarters (registered address)
• The relevant section of the Jet Bank mobile application

Identity verification

If we have reasonable doubts about the identity of the person submitting a request under applicable data protection legislation, we may request additional information to verify the identity of the data subject. This is to ensure that personal data is disclosed only to authorized individuals.

Fees and excessive requests

Requests submitted under Law No. 124/2024 are generally handled free of charge. However, where a request is manifestly unfounded or excessive, particularly due to its repetitive nature, the Bank may:

• charge a reasonable fee reflecting administrative costs; or
• refuse to act on the request.

Right to lodge a complaint

You have the right to lodge a complaint with the Commissioner for the Right to Information and Personal Data Protection:

• Email: info@idp.al
• Green line: 0800 20 50

You also have the right to seek judicial remedies before the competent court, in accordance with applicable legislation.