General Data Protection Regulation (GDPR)

This GDPR Privacy Notice is provided by Hollywood Vault, Inc. ("Hollywood Vault," "we," "us," or "our") to individuals in the European Economic Area (EEA) and the United Kingdom, in compliance with the General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR") and the United Kingdom General Data Protection Regulation ("UK GDPR"), collectively referred to as the "GDPR."

This notice explains how we collect, use, and protect your personal data when you apply for or use our credit card products and related services. It supplements our Privacy Policy, which applies to all users globally.

Hollywood Vault offers credit card products to eligible individuals in the EEA and UK through partnerships with locally-licensed financial institutions. The specific entity responsible for your data depends on your jurisdiction and is identified in Section 2.

Hollywood Vault, Inc. is the data controller responsible for your personal data under the GDPR. Our contact details are:

We process the following categories of personal data:

• Identity data: name, date of birth, nationality, government-issued ID number
• Contact data: postal address, email address, telephone number
• Financial data: income, employment information, credit history, bank account details
• Transaction data: purchase amounts, merchant information, payment locations, transaction history
• Technical data: IP address, device information, browser type, operating system
• Usage data: pages visited, click patterns, session duration, app usage statistics
• Special categories (if voluntarily provided): none under normal circumstances; we do not process special category data unless strictly necessary and with explicit consent

We rely on the following legal bases under Article 6 of the GDPR to process your personal data:

• Consent (Art. 6(1)(a)): You have given consent for processing activities such as marketing communications and optional analytics. You may withdraw consent at any time.
• Contractual necessity (Art. 6(1)(b)): Processing is necessary to enter into and perform the Cardholder Agreement, including issuing your card, processing transactions, and servicing your account.
• Legal obligation (Art. 6(1)(c)): Processing is necessary to comply with legal obligations such as anti-money laundering (AML) regulations, tax reporting, and consumer protection laws.
• Vital interests (Art. 6(1)(d)): Processing is necessary to protect your vital interests, such as preventing fraud or unauthorized access to your account.
• Legitimate interests (Art. 6(1)(f)): Processing is necessary for our legitimate interests in operating our business, such as fraud prevention, network security, and product improvement, balanced against your rights and freedoms.

We process your personal data for the following specific purposes:

• Assessing your credit card application and determining creditworthiness
• Issuing, activating, and servicing your credit card account
• Processing transactions, payments, and reward redemptions
• Detecting, preventing, and investigating fraud and financial crime
• Complying with AML, Know Your Customer (KYC), and tax reporting obligations
• Communicating with you about your account, security alerts, and policy changes
• Providing customer support and resolving disputes
• Improving our products, services, and user experience through analytics
• Sending marketing communications (only with your consent)

We may share your personal data with the following categories of recipients:

• Payment networks (Visa, Mastercard) for transaction processing
• Consumer reporting agencies for creditworthiness assessments
• Service providers acting as data processors (cloud hosting, payment processing, customer support, analytics)
• Co-branded partners and affiliates (with your consent where required)
• Regulatory authorities and law enforcement (when required by law)
• Professional advisors (legal, accounting, auditing)

All data processors are bound by written agreements that ensure they process your personal data only on our instructions and in compliance with the GDPR.

As a U.S.-based company, we may transfer your personal data outside the EEA and UK. When we do so, we ensure that appropriate safeguards are in place to protect your data in accordance with the GDPR. These safeguards include:

• Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our data processing agreements
• UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs for transfers from the UK
• Binding Corporate Rules (BCRs) for intra-group transfers, where applicable
• Adequacy decisions: transfers to countries recognized by the European Commission as providing an adequate level of data protection

You may request a copy of the appropriate safeguards we have implemented by contacting our Data Protection Officer.

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, and reporting requirements. Our retention periods include:

• Account data: for the duration of your account, plus 7 years after closure
• Transaction records: 7 years (per financial regulations)
• Identity verification data: 5 years after account closure
• Marketing consent records: until consent is withdrawn, plus 3 years
• Fraud investigation records: up to 10 years

When personal data is no longer needed, we securely delete or anonymize it in accordance with our data retention schedule.

Under the GDPR, you have the following rights regarding your personal data:

In addition, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you (Art. 22).

How to Submit a Request

To exercise any of your GDPR rights, you may contact us using the information in Section 12. You do not need to provide a reason for your request, but we may ask for information to verify your identity.

Response Timeline

We will respond to your request within one month of receipt. If your request is complex or you have made multiple requests, we may extend this period by two further months. We will inform you of any extension within one month of receiving your request, together with the reasons for the delay.

Fees

We provide the first copy of your personal data free of charge. For additional copies, we may charge a reasonable fee based on administrative costs. We may also charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive.

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority in the EU member state or UK where you live or work, or where the alleged infringement took place.

Key supervisory authorities include:

• Ireland: Data Protection Commission (DPC) — dataprotection.ie
• France: Commission Nationale de l'Informatique et des Libertés (CNIL) — cnil.fr
• Germany: Federal Commissioner for Data Protection and Freedom of Information (BfDI) — bfdi.bund.de
• United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk

We encourage you to contact us first so we can address your concerns, but you are not obligated to do so before contacting a supervisory authority.

For questions about this GDPR notice, to exercise your rights, or to contact our Data Protection Officer, please use the following: