This document explains how Credins Bank collects, uses, shares, and protects your personal data when you add your Credins card to Apple Wallet/Apple Pay. Your personal data is processed in accordance with Law No. 124/2024 “On the Protection of Personal Data” (effective as of January 17, 2025), as amended, as well as with the General Data Protection Regulation (EU) 2016/679 (GDPR), where applicable.

When you register your card in Apple Wallet, the following personal data is collected and processed solely for the purpose of providing the service or fulfilling your request. This information is shared with third parties only when necessary for this purpose, in accordance with the law, and when required by competent authorities, under legal provisions:

• Cardholder Information: Name, personal identification number, residential address, email address, mobile phone number

• Card Data: Card number (PAN), expiration date, CVV (temporarily, not stored)

• Device Data: Device type, operating system version, unique device identifier (UDID), IP address

• Authentication Data: One-time passwords (OTP)

• Location Data: Only at the moment of card activation, for fraud prevention purposes (only if you enable location services)

• Tokenized Data: Device Account Number (token) generated by Apple

We do not store the full card number or CVV after the activation process is complete.

Your data is processed for the following purposes:

• To verify your identity and validate your card for Apple Pay

• To securely enable card registration in Apple Wallet

• To fulfill anti-fraud and anti-money laundering obligations

• To comply with contractual obligations between you and the Bank

• To provide customer support related to Wallet functionality

The processing of personal data is conducted in full compliance with Law No. 124/2024 “On the Protection of Personal Data”.

The data is processed based on:

• Your consent when initiating the card registration in Apple Wallet

• Fulfillment of rights and obligations stated in the base card issuance contract

• Legal obligations

• Ensuring secure mobile payments

Your data may be shared with:

• Apple Inc. and its subsidiaries: to generate and manage a Device Account Number for your card

• Payment networks (e.g., Visa, Mastercard): for tokenization and transaction processing

• Third-party service providers: for authentication, fraud detection, or customer support only

• Regulatory authorities: when required by law

All data transfers are compliant with applicable laws, including safeguards.

We implement technical and organizational measures to protect data, including:

• Secure encryption during data transmission

• Avoidance of storing full card data on our servers or Apple’s

• Use of tokenization to avoid exposing the actual card number

• Access control, activity logging, and regular security testing

You have the right to:

• Access your personal data

• Request correction or deletion

• Withdraw your consent at any time (this may deactivate Apple Pay functionality)

• Object to or restrict certain processing

• Submit a complaint to the Commissioner for the Right to Information and Protection of Personal Data (KMDP)

• Activation data is retained only as long as necessary to fulfill contractual and legal obligations.

• Tokenized data and authentication logs are retained in accordance with regulatory requirements and the bank’s internal policies, as specified in the Commissioner’s Instruction No. 20 dated 03.08.2012 “On Data Processing in the Banking Sector”.

• Afterwards, data is destroyed or deleted, except in cases where a specific law or competent authority requires a different retention period.

If you have questions or requests regarding this Privacy Notice, please contact us at:

Email: info@bankacredins.com

Address: See the address of our headquarters published at www.bankacredins.com

You may also visit any of Credins Bank’s branches.

Data Protection Officer (DPO):

Email: dpo@bankacredins.com