1. Who We Are

Rhoam is operated through two legal entities depending on where you are located:

References to "Rhoam", "we", "us", or "our" in this Policy refer to the Rhoam entity that is the data controller for your personal data, as determined by your jurisdiction of residence or access.

If you are in the EEA or UK, you may lodge a complaint with your national data protection supervisory authority. We encourage you to contact us first.

2. What Personal Data We Collect

We collect only what is necessary and proportionate for the purposes described in this Policy. The categories below reflect the full scope of data we may collect depending on which services you use.

2.1 Identity and Contact Data

• Full legal name
• Date of birth
• Nationality and country of residence
• Email address and phone number
• Residential and correspondence address
• Username and optional profile picture

2.2 Identity Verification (KYC) Data

• Government-issued identity document (such as a passport or national identity card)
• Proof of address (utility bill, bank statement)
• Selfie or biometric photograph for identity verification
• Biometric liveness check data processed by our identity verification provider
• Source of funds and source of wealth declarations (for enhanced due diligence)

2.3 Financial and Transaction Data

• Bank account details linked via open banking or provided manually
• Transaction history, amounts, currencies, and beneficiary details
• Payment references and notes
• Account balance and statement data
• Funding source details (debit card, bank transfer, open banking)

2.4 Technical and Device Data

• IP address and approximate geolocation
• Device type, operating system, and app version
• Device identifiers (device ID, advertising ID where permitted)
• Session data, login timestamps, and activity logs
• Cookies and similar tracking technologies (see our Cookie Policy at rhoam.money/cookies)

2.5 Usage and Behavioural Data

• How you navigate and use the Platform (pages visited, features used, time spent)
• Preferences and settings you configure
• In-app support chat logs and customer service communications
• Rhoami AI query history (anonymised and stripped of raw PII before processing)

2.6 Compliance and Fraud Prevention Data

• Sanctions screening results and PEP (Politically Exposed Person) status
• Risk scoring and fraud detection signals
• Information received from third-party fraud prevention and AML screening providers

2.7 Data Received from Third Parties

We may receive personal data about you from:

• Identity verification and KYC providers
• Open banking connectivity providers
• Sanctions and PEP screening databases
• Fraud detection providers
• Crypto transaction monitoring providers
• Partner financial institutions, card issuers, and payment networks
• Publicly available sources, including company registries

3. Why We Use Your Data and Our Legal Bases

We process your personal data only when we have a valid legal basis. The table below sets out the main purposes and the legal basis for each.

4. Biometric Data and Sensitive Personal Information

As part of our identity verification process, we process biometric data including facial recognition data derived from the selfie and liveness check you complete during onboarding. We treat this data with the highest level of care.

• Biometric data is collected only with your explicit consent
• It is processed exclusively by our trusted KYC provider for identity verification purposes
• We do not store raw biometric data on our own servers beyond what is strictly necessary
• Biometric data is not used for facial recognition in public spaces, targeted advertising, or any secondary purpose
• It is not sold or shared with any party other than our KYC provider for this specific purpose
• Raw biometric data is deleted by the KYC provider after verification is complete

5. Rhoami AI and Automated Processing

Rhoami is our AI-powered financial assistant. To provide personalised financial insights, Rhoami analyses your transaction history and account data. We apply the following protections:

• PII stripping: your personal identifiers are removed or anonymised before any data is passed to external AI model APIs
• We use a three-tier AI routing architecture (Llama, Qwen, and third-party models). Only anonymised, non-identifiable query content reaches external model providers
• We do not use your personal data to train third-party AI models
• Rhoami does not make final autonomous financial decisions without human oversight

Where Rhoami's automated processes produce significant effects (such as an account restriction based on a risk signal), you have the right to request human review. Contact support@rhoam.money.

6. Who We Share Your Data With

We do not sell your personal data. We share data only as necessary to provide the Services and comply with our legal obligations.

6.1 Service Providers and Technology Partners

• Identity verification: us and our identity verification partners
• AML and sanctions screening: us and our compliance partners
• Fraud detection: us and our fraud prevention partners
• Crypto transaction monitoring: us and our blockchain analytics partners
• Open banking: us and our open banking partners (UAE and other supported jurisdictions)
• Card issuing: us and our card issuing partners
• Crypto-fiat infrastructure: us and our crypto infrastructure partners
• Payment rails: us and our payment infrastructure partners (EU/UK and Australia corridors)
• Account safeguarding: us and our account safeguarding partners
• Cloud infrastructure: our cloud infrastructure provider (data hosted in the Middle East region for UAE data residency compliance)
• Customer support platform: us and our customer support partners
• Email and push notification delivery services

6.2 Financial and Regulatory Partners

• Correspondent banks and financial institutions involved in processing your transactions
• Card networks (Visa/Mastercard)
• Payment networks (SWIFT, domestic payment rails, SEPA, Faster Payments)

6.3 Legal and Regulatory Authorities

We may disclose personal data to regulatory, law enforcement, or governmental authorities where required, including:

• UAE Central Bank, Financial Intelligence Unit (FIU), VARA, and other UAE regulators
• AUSTRAC (Australia), FCA (UK), FinCEN (US), and equivalent regulators in other jurisdictions where we operate
• Courts, arbitration bodies, or other dispute resolution authorities
• Tax authorities under CRS, FATCA, and other automatic exchange of information regimes

6.4 Business Transfers

In the event of a merger, acquisition, restructuring, or sale, your personal data may be transferred to the acquiring entity. We will notify you and ensure appropriate protections are in place.

7. International Data Transfers

Rhoam operates globally and your personal data may be transferred to and processed in countries other than your own. Where we transfer data internationally, we ensure appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission or relevant authority
• Adequacy decisions by the relevant data protection authority
• Binding Corporate Rules where applicable
• Contractual terms requiring equivalent data protection standards

UAE user data is hosted in the Middle East region to comply with CBUAE data residency requirements. You may request information about safeguards for any international transfer by contacting privacy@rhoam.money.

8. Data Retention

We retain your personal data for as long as necessary to provide the Services and comply with our legal obligations.

9. Your Rights

You have the following rights in relation to your personal data. We honour these rights for all users globally, subject to applicable legal exceptions. Submit any request to privacy@rhoam.money or through the in-app privacy centre. We will respond within 30 days.

• Right of Access — request a copy of the personal data we hold about you
• Right to Rectification — ask us to correct inaccurate or incomplete data
• Right to Erasure — ask us to delete your data (subject to legal retention requirements)
• Right to Restriction — ask us to limit how we use your data in certain circumstances
• Right to Data Portability — receive your data in a machine-readable format
• Right to Object — object to processing for legitimate interests or direct marketing
• Right to Withdraw Consent — withdraw consent at any time without affecting prior lawful processing
• Right regarding Automated Decisions — request human review of any decision made solely by automated processing that produces significant effects on you

We will never discriminate against you for exercising your privacy rights.

10. Cookies and Tracking Technologies

We use cookies, pixel tags, local storage, and similar tracking technologies. Full details are in our Cookie Policy at rhoam.money/cookies. In summary:

• Strictly necessary cookies: required for the Platform to function — cannot be disabled
• Performance and analytics cookies: help us understand how users navigate the Platform
• Functional cookies: remember your preferences and personalise your experience
• Marketing cookies: deliver relevant advertising (only with your explicit consent)

You can control cookies through your browser settings, our cookie consent banner, or the Rhoam app privacy settings. On mobile: iOS Settings > Privacy > Tracking; Android Settings > Google > Ads.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Multi-factor authentication for all account and admin access
• Regular penetration testing and vulnerability assessments
• Strict access controls — data accessible on a need-to-know basis only
• Secure cloud infrastructure with physical and environmental controls
• Incident response procedures for detecting and responding to data breaches
• Employee training on data protection and information security

In the event of a breach posing a risk to your rights and freedoms, we will notify you and the relevant supervisory authorities within 72 hours of becoming aware.

12. Children's Privacy

Our Platform is not intended for individuals under 18. We do not knowingly collect personal data from children. If we become aware that we have done so without appropriate parental consent, we will delete that data promptly. Please contact privacy@rhoam.money if you believe we may have collected data from a child.

13. Region-Specific Provisions

13.1 United Arab Emirates

We comply with UAE Federal Law No. 45 of 2021 on the Protection of Personal Data (PDPL), CBUAE data residency requirements, and sector-specific regulations from the UAE Central Bank and VARA. Services in the UAE are provided by Rhoam Money FZE. Contact the UAE Data Office at www.uaedataoffice.gov.ae for unresolved concerns.

13.2 DIFC

Where Rhoam or its affiliates operate within the DIFC, we comply with the DIFC Data Protection Law 2020 (Law No. 5 of 2020) and associated regulations.

13.3 ADGM

Where applicable, we comply with the ADGM Data Protection Regulations 2021 administered by the ADGM Registration Authority.

13.4 Australia

Australian services are provided by Rhoam Money Pty Ltd, registered in Australia and regulated by AUSTRAC. We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). You may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

13.5 European Economic Area and United Kingdom

We process data of EEA and UK residents in accordance with the GDPR (EU) 2016/679 or UK GDPR as applicable. You have the right to lodge a complaint with your national data protection supervisory authority. Where we transfer data outside the EEA or UK, we apply the safeguards described in Section 7.

13.6 California (United States)

For California residents, we comply with the CCPA as amended by the CPRA. You have the right to know what personal information we collect and how it is used, to delete your information (subject to exceptions), to correct inaccurate information, to opt out of the sale or sharing of your personal information, and to non-discrimination for exercising your rights. We do not sell your personal data. Contact privacy@rhoam.money to exercise your California rights.

13.7 All Other Jurisdictions

Wherever you access Rhoam, we apply the privacy standards set out in this Policy as a baseline. Where local law requires additional protections or rights, we comply with those requirements. If you are unsure which protections apply to you, contact privacy@rhoam.money.

14. Changes to This Privacy Policy

We may update this Policy to reflect changes in our data practices, legal obligations, or business operations. We will notify you of material changes by:

• Email to your registered email address
• In-app notification
• Updating the version number and effective date at the top of this Policy

Continued use of the Platform after notification constitutes your acknowledgement of the updated Policy.

15. Contact Us

Rhoam Money FZE (UAE) / Rhoam Money Pty Ltd (Australia)

• Privacy enquiries: privacy@rhoam.money
• Data Protection Officer: dpo@rhoam.money
• General support: support@rhoam.money
• Legal: legal@rhoam.money
• Website: www.rhoam.money

If you have a complaint about how we handle your personal data, please contact us first and we will aim to resolve it within 30 days. If you remain unsatisfied, you may contact the relevant data protection supervisory authority in your jurisdiction.