Privacy Policy

Last updated: 22 April, 2025

This Privacy Policy includes important information about your personal data and we encourage you to read it carefully.

Introduction

Groov Technology Ltd, a company registered in UK (number: SC679273), with its registered office at 19 Craigcrook Road, Edinburgh, Scotland, EH4 3NQ provides the next generation of Embedded Lending infrastructure – one that enables SME growth, drives innovation, and empowers businesses to thrive. We respect the privacy of our users and are committed to protecting your personal data.

Groov is registered with the Information Commissioner’s Office (reference number ZB330292).

This Privacy Policy (“Policy”) describes the Personal Data we collect, how we use and share it, along with details on how you can reach out to us with privacy-related inquiries. Additionally, the Policy outlines your rights as a data subject and choices you have, including the right to object to certain usages of your Personal Data by us.

This Site is not intended for anyone under the age of 18 and we do not knowingly collect data relating to such people.

Defined Terms

In this Policy, “Groov”, “we”, “our,” or “us” refers to the Groov entity (Groov Technology Ltd) responsible for the collection, use, and handling of Personal Data as described in this document.

“Personal Data” refers to any information associated with an identified or identifiable individual, which can include data that you provide to us, and we collect about you during your interaction with our Services.

“Services” refers to the products, services and applications, that we provide under the Groov Terms of Service and/or the Groov Broking Service Agreement (“Broking Services”) and/or the Groov Platform Services Agreement (“Platform Services”); websites (“Sites”) like wearegroov.io; and other Groov applications and online services. We provide Broking Services to entities like Small and medium-sized enterprises/SMEs (“Business Users”). We provide Platform Services to Institutional Businesses, Commerce Platforms, Business SaaS Platforms (“Customers”).

“Financial Partners” are financial institutions such as Capital Providers and Business Finance Lenders that we partner with to provide the Services.

Depending on the context, “you” might be a Business User, Merchant, Authorised User, or Visitor:

Business Users. When you transact with us directly and/or use our Broking Service to review your business and compare business financing options via us, we refer to you as a “Business User”.
Merchants. When you do business with, or otherwise engage in a contract with a Customer and perform a transaction via the Customer, such as applying for a financing/capital product application via a Customer app (embedded or otherwise) where the Customer has a Platform Services Agreement with Groov, but you are not directly contracting with Groov, we refer to you as a “Merchant”
Authorised Users. When you are acting on behalf of an existing or potential Customer - perhaps as an account administrator for a Customer - we categorize you as an “Authorised User”
Visitors. When you interact with Groov by visiting one of its Sites without being logged into a Groov account, or when your interaction with Groov does not involve you being a Business User, Merchant or Authorised User, you are considered a“Visitor.” For example, you are a Visitor when you send a message to Groov asking for more information about our Services.

‍

Our data processing role:

Depending on the activity, Groov assumes the role of a“data controller” and/or “data processor”.

The “data controller” is the entity which determines the purposes and means of the data processing taking place. The “data processor” is an entity acting on behalf and under the instructions of a controller in processing personal data.

Groov is a data controller when it determines the purposes and means of the processing taking place. These data processing activities include:

Providing the Groov products and services to Business Users, including determining the Financial Partners and any third parties to be utilized;
Complying with legal or regulatory obligations applicable to the financial sector to which Groov is subject, including applicable anti-money laundering screening and compliance with know-your-customer obligations; and
Analysing, developing and improving Groov’s products and services.

Groov is a data processor where it is facilitating business data and financial partner provided financing/capital product orchestration that requires processing of personal data on behalf of and at the direction of our Customer pursuant to the Terms of Services. Our Customers direct us to capture business data and transaction data/information from Merchants.

In this Policy, “Business Data” & “Transaction Data” refers to data collected and used by Groov to facilitate your request. Some Business Data is Personal Data and may include: your name, email address, contact number, registered/residential address, identification data, ownership details, business and location details. Some Transaction Data is Personal Data and may include: your name, email address, contact number, address, payment method information (like card details, bank account details), financing product information (loan account details, linked bank account), merchant and location details, amount and date of transaction, and in some instances, information about products/services related to the transaction.

‍

1. Personal Data we collect and how we use and share it

Our collection and use of Personal Data differ based on whether you are a Business User, Merchant, an Authorised User, or Visitor, and the specific Service being utilized. For example, if you're a SME business who wants to use our Broking Service, we may collect your Personal Data to onboard your business with a Financial Partner; at the same time, you might also be a Merchant if you are using a service provided by our Customer and are connecting your payment accounts and/or Bank Accounts to receive Insights about your business via the service channel of the Customer.

1.1 Business Users

Groov provides Broking Services to our Business Users, which include processing business insights about you to pre-qualify to a financing option and/or collecting onboarding information about you to submit to FinancialPartners. When acting as a data controller for a Business User, we process Personal Data in accordance with our Broking Service agreement with you.

a. Personal Data we collect about Business Users

Contact Information. When you engage with us for the Broking Service, we collect your contact details to communicate with you and fulfil our obligation as per the Broking Service terms. Introducers (businesses that introduce you to us) may also share your contact details with us as per our MoU or Service terms with them, please refer to the privacy policy of such Introducers you're doing business with for its privacy practices, choices, and controls. We may also collect your login details to provide you access to your instance of Groov connected dashboard account. You may add details to account profile settings to personalise your dashboard experience. If you sign up to receive Groov communications or notifications, we collect your profile data (like phone number for sms notifications).

Using Connect. Groov offers a service called "Connect," which allows you to link and connect your card payment accounts and/or your bank accounts and/or other accounts you hold that you can connect via the service. This allows us to profile your business, share cash flow insights with you, to pre-qualify you for different financing options and to share this information with any future interactions with Financial Partners. By connecting you may share and save your payment and/or bank account details to your Groov account using Groov’s Connect product. When you use Connect, Groov will periodically collect and process your account information (such as account owner information, account balances, account number and details, account transactions, and, in some cases, log-in credentials). You can revoke or ask us to cease the collection of such data at any time.

Identity/Verification Information. Groov will collect Personal Data about you, such as your identity information during the financing application process. During the process, you’d be asked to share with us certain Personal Data (like your government/personal ID, address verification documents, Personal Data you input). To protect against fraud and determine if somebody is trying to impersonate you, we or our Financial Partners may cross-verify this data with information about you that we've collected.

b. How we use and share Personal Data of Business Users

To provide our Broking Services to our Business Users, we use and share your Personal Data with Financial Partners. Where allowed, we also use your Personal Data for Groov’s own purposes such as improving and offering our Broking Services.

Business Insights. We use your Business Data & Transaction data to deliver Business Insights to you, including aggregated cashflow details, transaction history view and trends, and helping you determine the financing options and capital product eligibility as appropriate.

Broking life cycle management. Business Users use our Broking Services to explore and access financing products. Across the product qualification to the product fulfilment and in-life management, your personal data is used and shared with Financial Partners and various entities in connection to your product provisioning and management.

Compliance Management and Loss Prevention. We use your Personal Data collected across our Services to manage compliance and prevent financial losses for you, us, and Financial Partners. We may provide Financial Partners, with Personal Data about you (including your compliance outcomes) so that they can assess the loss risk associated with any product/service they offer.

Product Marketing. As part of our Broking Service, we may use your Personal Data to market and advertise different financing products or services. You will be able to opt-out and/or request us to stop using your Personal Data for marketing purposes.

1.2 Merchants

Groov provides various Platform Services to our Customers which include processing business insights about Merchants to drive Customers business objectives and/or to provide Merchants a point-of-need financing option and/or onboarding/servicing information from Merchants via Customer platform to orchestrate across our Financial Partners. When acting as a data processor for a Customer, we process Merchant Personal Data in accordance with our agreement with the Customer and their lawful instructions. This happens, for example, when we aggregate revenue information about your business on behalf of a Customer to power their business service/offerings to you as a Merchant. When acting as a data controller, Groov must comply with and perform its obligations under DP Law when processing Personal Data of Merchants in the manner set out in this Privacy Policy and in accordance with our agreement with the Customer. This happens, for example when we collect personal information about you to manage the financial product lifecycle management with our financial partner.

Customers are responsible for ensuring that the privacy rights of their Merchants are respected, including obtaining appropriate consents and making disclosures about their own data collection and use associated with their products and services. If you're Merchant, please refer to the privacy policy of the Customer you're doing business with for its privacy practices, choices, and controls.

a. Personal Data we collect about Merchants

Business Data. If you're a Merchant transacting with our Customer who uses our Platform Services, we receive your Business Data. We may also receive your transaction details and history with the Customer.

Contact Information. We would collect your contact details to communicate with you and provide our products/services as per the Platform Service terms with your Customer. We may also collect your login details to provide you access to your Groov connected account instance either embedded within your Customer app account or as a hosted Groov dashboard account. You may add details to account profile settings to personalise your dashboard experience. If you sign up to receive Groov communications or notifications, we collect your profile data (like phone number for sms notifications).

Using Connect. Groov offers a service called "Connect," which allows you to link and connect your card payment accounts and/or your bank accounts and/or other accounts you hold with the Customer or an external account that belongs to you. This allows us to profile your business, share cash flow insights with you and our Customer, to pre-qualify you for different financing options and to share this information with any future interactions with Financial Partners as well as with the Customer. By connecting you may share and save your payment and/or bank account details with us using Groov’s Connect product. When you use Connect, Groov will periodically collect and process your account information (such as account owner information, account balances, account number and details, account transactions, and, in some cases, log-in credentials). You can revoke or ask us or ask our Customer/Financial Partner to cease the collection of such data at any time.

Identity/Verification Information. Groov will collect Personal Data about you, such as your identity during the financing application process. During the process, you’d be asked to share with us certain Personal Data (like your government/personal ID, address verification documents, Personal Data you input). To protect against fraud and determine if somebody is trying to impersonate you, we or our Financial Partners may cross-verify this data with information about you that we've collected.

b. How we use and share Personal Data of Merchants

To provide our Platform Services to our Customers, we use and share your Personal Data with them. Where allowed, we also use your Personal Data for Groov’s own purposes such as improving and offering our Platform Services.

Business Insights. We use your Business Data to deliver Business Insights to you and our Customer, including aggregated cashflow details, transaction history view and trends, and if appropriate helping you determine the financing options at point of need and capital product eligibility as appropriate as long as such financing services are enabled by the Customer via their Platform Services with us.

Financing Product life cycle management. Customers use our Platform Services to enable Merchants like you to explore and access financing products. Across the product qualification to the product fulfilment and in-life management, your personal data is used and shared with Customers, Financial Partners and various entities in connection to your product provisioning and management. The Financial Partner you choose to do business with also receives Business Data and might share the data with others, we will disclose and ask you to review their privacy policy before you proceed ahead with a product signup/onboarding journey with the chosen one.

Compliance Management and Loss Prevention. We use your Personal Data collected across our Services to manage compliance and prevent financial losses for you, us, our Customers and our Financial Partners. We may provide Customers and Financial Partners, with Personal Data about you (including your compliance outcomes) so that they can assess the loss risk associated with any product/service they offer.

Our Customers and/or Financial Partners (and their authorized third parties). We share your Personal Data with our Customers and/or Financial Partners and parties directly authorized by them to receive such data. Here are common examples of such sharing:

When a Customer instructs Groov to share business insights, information and data related to its Merchants, via Groov Connect.
When a Customer instructs Groov to provide Financial Partners with information and data related to its Merchants, via Groov Connect.
Sharing information that you have provided to us with a Customer and/or Financial Partner so that we can orchestrate financing product account information with you on their behalf.

The Customer and/or Financial Partner you choose to do business with may further share your Personal Data with third parties (like additional third-party service providers other than Groov). Please review their privacy policies for more information.

Personalization. We use the data we collect from cookies, analytics and similar technologies about you to measure user engagement with the content on the Site or applications enabled via our Service, improve relevancy and navigation, customize your user experience and curate content about Groov and our Services that's tailored to you.

Product Marketing. If you initiate a business process with a Customera nd/or Financial Partners, they receive your Personal Data from us in connection with our provision of Services. The Customer and/or Financial Partners may use your Personal Data to market and advertise their products or services, subject to the terms of their privacy policy. Please review their privacy policy for more information, including your rights to stop their usage of your Personal Data for marketing purposes.

1.3 Authorised Users

We collect, use, and share Personal Data from Authorised Users of our Customers (for example, administrators, operational users) to provide our Platform Services.

a. Personal Data we collect about Authorised Users

Registration and contact information. When you register and sign-up for a Groov account on behalf of a Customer, we collect your name and login details. Once you have access to the Groov account dashboard of the Customer account, you may upload your profile picture and add details to account profile settings to personalise your dashboard experience. If you signup to receive Groov communications or notifications, we collect your profile data (like phone number for sms notifications).

b. How we use and share Personal Data of Authorised Users

We typically use the Personal Data of Authorised Users to provide the Platform Services to the Customer.

Platform Services. We use and share your Personal Data to provide the Services requested by you or the Customer you represent.

Product Marketing. As part of our Platform Services, we may use your Personal Data to market and advertise different financing products or services. You will be able to opt-out and/or request us to stop using your Personal Data for marketing purposes.

1.4 Visitors

We collect, use, and share the Personal Data of Visitors.

a. Personal Data we collect about Visitors

When you browse our Sites, we receive your Personal Data, either provided directly by you or collected through our use of cookies and similar technologies. See our Cookie Policy for more information. If you opt to complete a form on the Site or third-party websites where our advertisements are displayed (like social media platforms like LinkedIn), we collect the information you included in the form. This may include your contact information and other information pertaining to your questions about our Services. We may also associate a location with your visit.

b. How we use and share Personal Data of Visitors

Personalization. We use the data we collect from cookies and similar technologies about you to measure user engagement with the content on the Sites, improve relevancy and navigation, customize your user experience, and curate content about Groov and our Services that's tailored to you.

Advertising. Where allowed by applicable law, we use and share Visitors’ Personal Data with third parties so we can advertise and market our Services. Subject to applicable law, including any consent requirements, we may advertise through interest-based advertising and track the efficacy of such ads. See our Cookie Policy. We do not transfer your Personal Data to third parties in exchange for payment. However, we may provide your data to third party partners, like advertising partners, analytics providers, and social networks, who assist us in advertising our Services.

Engagement. As you interact with our Sites, we use the information we collect about and through your devices to provide opportunities for further interactions, such as discussions about Services or interactions with chatbots, to address your questions.

2. More ways we collect, use, and share Personal Data

In addition to the ways described above, we also process your Personal Data as follows:

a. Collection of Personal Data

Online Activity. Depending on the Service used, we may collect information related to:

The devices and browsers you use across our Sites, our applications, and any other linked online services (“Third-Party Sites”).
Usage data associated with those devices and browsers and your engagement with our Services, including data elements like IP address, plug-ins, language preference, time spent on Sites and Third-Party Sites, pages visited, links clicked, and the pages that led you to our Sites and Third-Party Sites.

Communication and Engagement Information. We also collect information you choose to share with us through various channels, such as support tickets, emails, or social media. If you respond to emails or surveys from Groov, we collect your email address, name, and any other data you opt to include in your email or responses. If you engage with us over the phone, we collect your phone number and any other information you might provide during the call. Additionally, we collect your engagement data and any other interactions with Groov personnel.

Forums and Discussion Groups. If our Sites allow posting of content, we collect Personal Data that you provide in connection with the post.

b. Use of Personal Data.

Besides the use of Personal Data described above, we use Personal Data in the ways listed below:

Improving and Developing our Services. We use analytics on our Sites to help us understand your use of our Sites and Services and diagnose technical issues. Please review our Cookie Policy to learn more about how you can control our use of cookies and third-party analytics. We also collect and process Personal Data throughout our various Services, whether you are a Business User, Merchant, Authorised User, or Visitor, to improve our Services, develop new Services, and support our efforts to make our Services more relevant and useful to you.

Communications. We use the contact information we have about you to deliver our Services, which may involve sending codes via SMS or via emails for your authentication. If you are a Business User, Authorised User, or Visitor, we may communicate with you using the contact information we have about you to provide information about our Services, invite you to participate in our events, surveys, or user research, or otherwise communicate with you for marketing purposes, in compliance with applicable law, including any consent or opt-out requirements.

Social Media and Promotions. If you opt to submit Personal Data to engage in an offer, program, or promotion, we use the Personal Data you provide to manage the offer, program, or promotion. We also use the Personal Data you provide, along with the Personal Data you make available on social media platforms, for marketing purposes, unless we are not permitted to do so.

Compliance Management and Security. We collect and use Personal Data to help us identify and manage activities that could be non-compliant, fraudulent or harmful across our Services, and secure our Services against unauthorized access, use, alteration or misappropriation of Personal Data, information, and funds. As part of the compliance management, security monitoring efforts for Groov and its Business Users, Financial Partners and Customers, we collect information from third parties (such as credit bureaus) and via the Services we offer. In some instances, we may also collect information about you directly from you, or from our Customers, and other third parties for the same purposes. Furthermore, to protect our Services, we may receive details such as IP addresses and other identifying data about potential security threats from third parties.

Compliance with Legal Obligations. We use Personal Data to meet our contractual and legal obligations related to Know-Your-Customer("KYC") laws, safeguarding vulnerable customers, export control, and prohibition of doing business with restricted persons or in certain business fields, among other legal obligations. Ensuring safety, security, and compliance for our Services is a key priority for us, and collecting and utilizing Personal Data is crucial to this effort.

Minors. Our Services are not directed to children under the age of 18, and we request that they do not provide Personal Data to seek Services directly from Groov.

c. Sharing of Personal Data.

Besides the sharing of Personal Data described above, we share Personal Data in the ways listed below:

Service Providers or Sub-Processors. In order to provide, communicate, market, and advertise our Services, we depend on sub-processors and service providers. These entities offer critical services spanning from providing cloud infrastructure, conducting analytics for the assessment of speed, accuracy, and/or security of our Services, verifying identities, to providing customer service and audit functions. We authorize these entities to use or disclose the Personal Data we make available to them to perform services on our behalf and comply with relevant legal obligations. We mandate these entities to contractually commit to ensuring the security and confidentiality of thePersonal Data they process on our behalf. You can view a list of such service providers and sub-processors we work with on this page

Corporate Transactions. If we enter or intend to enter a transaction that modifies the structure of our business, such as a reorganization, merger, sale, joint venture, assignment, transfer, change of control, or other disposition of all or part of our business, assets, or stock, we may share Personal Data with third parties in connection with such transaction. Any other entity that buys us or part of our business will have the right to continue to use your Personal Data, but subject to the terms of this Policy.

Compliance and Harm Prevention. We share Personal Data when we believe it is necessary to comply with applicable law; to abide by rules imposed by Financial Partners in connection with the use of their financing products/services; enforce our contractual rights; secure and protect the Services, rights, privacy, safety, and property of Groov, you, and others, including against malicious or fraudulent activity; and to respond to valid legal requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include authorities outside your country of residence.

3. Legal bases for processing Personal Data

For purposes of the General Data Protection Regulation and other applicable data protection laws, we rely on a number of legal basest o process your Personal Data.

a. Contractual and Pre-Contractual Business Relationships. We process Personal Data to enter into business relationships with prospective Business Users and Authorised Users and fulfil our respective contractual obligations with them. These processing activities include:

Creation and management of Groov accounts and Groov account credentials, including the assessment of applications to initiate or expand the use of our Services incl setting you for related customer service activities;
Accounting, auditing, and billing activities; and
Processing of pre-eligibility across various financing options and adhering to our regulatory guidance of whether we can serve you or not.

b. Legal Compliance. We process Personal Data to verify the identities of individuals and entities to comply with obligations related to Broking Service and Platform Services specific to Business Financing i.e laws associated with identifying and reporting illicit and illegal activities, such as those under the Anti-Money Laundering ("AML") and Know-Your-Customer (“KYC") regulations, and financial reporting obligations. For example, we may be required to record and verify a Business User’s identity to comply with regulations designed by our Financial Partners to prevent money laundering, fraud, and financial crimes. These legal obligations may require us to report our compliance to third parties and subject ourselves to third party verification audits per our Service Terms with such Financial Partners or any regulatory parties we may have to report to.

c. Legitimate Interests. Where allowed under applicable law, we rely on our legitimate business interests to process your Personal Data. The following list provides an example of the business purposes for which we have a legitimate interest in processing your data:

Mitigation of financial loss, claims, liabilities or other harm to Business Users, Merchants, Financial Partners and Groov;
Determination of eligibility for and offering Groov Services;
Response to inquiries, deliveryo f Service notices, and provision of customer support;
Promotion, analysis, modification, and improvement of our Services, systems, and tools, as well as the development of new products and services, including enhancing the reliability of the Services;
Management, operation, and improvement of the performance of our Sites and Services, through understanding their effectiveness and optimizing our digital assets;
Analysis and advertisement of ourServices, and related improvements;
Aggregate analysis and development of business intelligence that enable us to operate, protect, make informed decisions about, and report on the performance of our business;
Sharing of Personal Data with third party service providers that offer services on our behalf and business partners that help us in operating and improving our business; and
Enabling network and information security throughout Groov and our Services;

d. Consent. We may rely on consent or explicit consent to collect and process Personal Data regarding our interactions with you and the provision of our Services such as Connect, Insights, Financing products/services. When we process your Personal Data based on your consent, you have the right to withdraw your consent at any time, and such a withdrawal will not impact the legality of processing performed based on the consent prior to its withdrawal.

The table below provides a detailed overview of why and how we use your Personal Data.

Business Users

When you directly use a Broking Service, we refer to you as a “Business User.”

PROCESSING PURPOSE	CATEGORIES OF PERSONAL DATA	LEGAL BASES
Provide our Services. To provide services to you, including delivery, support, personalization and messages related to the service.	Your name, contact information, financial information including Bank Account Information, Merchant Account Information and any other Account Information.	Our contractual necessity to perform our contractual relationship with you, under applicable data protection laws.
For the provision of our services including Connect, Insights and Financing/Capital. When we process data based on your consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing based on such consent before the consent is withdrawn.	If you choose to use Connect you agree to let Groov store your connected account details and related information so that you can engage with Insights we offer you and share your details seamlessly with Financial Partners who partner with Groov to provide Financing products and services.	Based on consent in processing this personal information.
Financial Products. We use your Personal Data to offer you financial products and services from our Financial Partners	Your name, email address, phone number, postal address, transaction information, password, PIN or similar authentication credentials, age, DOB, identity and proof details (like drivers license number, tax ID), cookie data, IP address.	Our legitimate interests in promoting our products and in determining eligibility for and offer new and/or existing Groov products and services.
Offer our Services and Alert you of Changes to our Services. We work with Financial Partners to offer financing to Business Users who can satisfy particular criteria and will process your data to help determine if you qualify for financing or not. Certain information will be processed by Groov prior to the offer of financing in order to determine eligibility.	The name and other identifying details and contact information of a Business User’s Owners/Directors, physical address of Business User, and the Business User's Groov setup details and information related to the Business User’s performance insights aggregated by Groov or if the Business User chooses to provide such information directly.	Our legitimate interests in promoting our products and in determining eligibility for and offer new Groov products and services.
Marketing and Advertising. We may use your Personal Data to assess your eligibility and offer you other Services. We use your Personal Data for interest-based advertising and marketing purposes. We do not share Personal Data to third parties for their marketing purposes unless you give us or the third-party permission to do so.	Contact information including: name, email address, work phone number, and job title. Connection data such as IP address, and web behavior (page visited, length on page, etc.)	Based on consent in processing this personal information. Our legitimate interest in undertaking marketing activities to offer you products or services that may be of interest to you.
Compliance and Harm Prevention. We process and share Personal Data as we believe necessary: (i) to comply with applicable law, (ii) for compliance with rules imposed by financial partners in connection with use of that financing/capital product; (iii) to enforce our contractual rights; (iv) to secure or protect the Services, rights, privacy, safety and property of Groov, you or others, including against other malicious or fraudulent activity and security incidents; and (v) to respond to valid legal process requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include authorities outside your country of residence.	Any Personal Data we process, including information necessary for identity verification	Where these processing activities or disclosures are necessary to comply with our legal obligations, for the protection of a person's vital interests, for reasons of public interest, for reasons of substantial public interest, or for the purposes of Groov’s or a third party’s legitimate interest in keeping Groov secure, preventing a breach of the law, harm or crime, enforcing or defending legal rights, claims, or obligations, facilitating the collection of taxes and prevention of tax fraud or preventing loss or damage.
Reduce fraud and enhance security. We will share Personal Data about your identity, including information that you provide, to enable our Financial Partners to perform verification Services to establish KYC obligations and reduce fraud and enhance security.	In some cases you may provide your identity document, and we or our Financial Partners will use technology to “verify.” We will use information from our service providers, our Financial Partners and our Services to help verify your identity and fraud prevention.	Based on consent in processing this personal information. Our legitimate interests in establishing identity and confirming to compliance obligation on behalf of our Financial Partners

Merchants

When you do business with, or otherwise transact with, a Customer but are not directly doing business with Groov, we refer to you as a “Merchant.”

PROCESSING PURPOSE	CATEGORIES OF PERSONAL DATA	LEGAL BASES
Provide our Services to Customers, including to process Insights and any Financial Products the Customer have signed upto as part of Platform Services If you are a Merchant, when you Connect, check financial product eligibility, make a financial/capital product application or otherwise engage with a Customer through Groov’s Services or a Groov-embedded app, Groov will receive your business data and transaction information. Depending on how the Customer has integrated our Platform Services, we may receive this information directly from you, the Customer or another service provider to you or the Customer.	Business Data and Transaction data (including from connected accounts using Groov Connect). Your name, email, address, bank account information, merchant account information, merchant and location details, transaction details. The financing/capital product information that we collect will depend upon the financing option that you choose to use based on the eligibility we have worked out from the list of Financial Partners enabled by the Customer as part of the Platform Services configuration process. We may also receive your transaction history with the Customer. Business Data Information / Financing Interests. Information typed into a Financing onboarding application that is not ultimately submitted to the Financial Partner.	Our legitimate interests in providing the Groov products and services. Groov processes this personal data given its legitimate interest in improving the Services and where it is necessary for the adequate performance of the contract with the Customer and/or Financial Partner.
Provide our Services to Financial Partners, to order financing options on behalf of the Customer, to implement compliance checks chosen by the Financial Partner.	Identity and Verification Information. The information collected will be the information that you choose to share for these purposes, which may include your government ID, your photo, your personal documentation, and Personal Data apparent from any such data/document gathering.	Our legal obligations in respect of our financial and regulatory obligations.
Reduce fraud and enhance security. We will share Personal Data about your identity, including information that you provide, to enable our Financial Partners to perform verification Services to establish KYC obligations and reduce fraud and enhance security.	In some cases you may provide your identity document, and we or our Financial Partners will use technology to “verify.” We will use information from our service providers, our Financial Partners and our Services to help verify your identity and fraud prevention.	Based on consent in processing this personal information. Our legitimate interests in establishing identity and confirming to compliance obligation on behalf of our Financial Partners
Compliance and Harm Prevention. We process and share Personal Data as we believe necessary: (i) to comply with applicable law, (ii) for compliance with rules imposed by financial partners in connection with use of that financing/capital product; (iii) to enforce our contractual rights; (iv) to secure or protect the Services, rights, privacy, safety and property of Groov, you or others, including against other malicious or fraudulent activity and security incidents; and (v) to respond to valid legal process requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include authorities outside your country of residence.	Any Personal Data we process, including information necessary for identity verification	Where these processing activities or disclosures are necessary to comply with our legal obligations, for the protection of a person's vital interests, for reasons of public interest, for reasons of substantial public interest, or for the purposes of Groov’s or a third party’s legitimate interest in keeping Groov secure, preventing a breach of the law, harm or crime, enforcing or defending legal rights, claims, or obligations, facilitating the collection of taxes and prevention of tax fraud or preventing loss or damage.
Financial Products. We use your Personal Data to offer you financial products and services under the Financial Partners brand and/or under the brand of a Customer.	Your name, email address, phone number, postal address, transaction information, password, PIN or similar authentication credentials, age, DOB, identity and proof details (like drivers license number, tax ID), cookie data, IP address.	Our legitimate interests in promoting our products and in determining eligibility for and offer new and/or existing Groov products and services.
Offer our Services and Alert you of Changes to our Services. We work with Financial Partners to offer financing to Merchants who can satisfy particular criteria and will process your data to help determine if you qualify for financing or not. Certain information will be processed by Groov prior to the offer of financing in order to determine eligibility.	The name and other identifying details and contact information of a Merchant’s Owners/Directors, physical address, and your Groov setup details and information related to the your performance insights aggregated by Groov or if you chose to provide such information directly.	Our legitimate interests in promoting our products and in determining eligibility for and offer new Groov products and services.

Authorised Users

When you are acting on behalf ofan existing or potential Customer - perhaps as an account administrator for a Customer- we categorize you as an “Authorised User”

PROCESSING PURPOSE	CATEGORIES OF PERSONAL DATA	LEGAL BASES
Contractual and Pre-Contractual Business Relationships. We process Personal Data to enter into business relationships with prospective Authorised Users and fulfil our respective contractual obligations with them.	Onboarding and account setup information that you create as part of account registration/setup, which may include your name, email, address, work phone number, job title, password credentials, IP address, cookies.	Based on consent in processing this personal information. Our contractual necessity to perform our contractual relationship with our Customer, under applicable data protection laws.
Advertising. We may use and share Representative Personal Data with others so that we may advertise and market our products and services to you, including through interest-based advertising subject to any consent requirements under applicable law.	Contact information including: name, email address, work phone number, and job title. Connection data such as IP address, and web behaviour (page visited, length on page, etc.)	Based on consent in processing this personal information.
Communications. We may send you email marketing communications about Groov products and services or otherwise communicate with you for marketing purposes, provided that we do so in accordance with applicable law, including any consent or opt-out requirements. We may also send you regular and ongoing service and customer support related communications.	Contact information such as your name, email address, phone number.	Based on consent in processing this personal information. Our legitimate interests in responding to inquiries, sending Service notices, ensuring compliance with applicable laws, preventing fraud, improving our services and providing customer support.

Visitors

When you visit a Site without being logged into a Groov account or otherwise communicate with Groov, we refer to you as a “Visitor.” (e.g. you send Groov a message asking for more information because you are considering being a user of our products).

PROCESSING PURPOSE	CATEGORIES OF PERSONAL DATA	LEGAL BASES
Communications. We use any contact information that you provide to us to respond to any inquiries or requests for information you made; and if you have asked about us or our Services, to send you marketing emails by either asking for your consent or providing you an opt out in any messages we send.	Contact information such as your name, email address, phone number. Information you have provided to us, such as the products you are interested in.	Based on consent in processing this personal information. Our legitimate interests in responding to inquiries, sending Service notices and providing customer support.
Advertising. When you visit our Sites, we (and our service providers) may use Personal Data collected from you and your device to target advertisements for Groov Services to you on our Sites and other sites you visit (“interest-based advertising”).	Information collected from cookies such as your device, browser ID, and pages on our website which you have visited.	Based on consent in processing this personal information. Our legitimate interest in undertaking marketing activities to offer you products or services that may be of interest to you.
Fraud Detection. We use your Personal Data collected across our Services to detect and prevent fraud against Groov, our Business Users, Customers and financial partners.	Advanced Fraud Signals information collected via cookies. This includes web browsing information, usage data, referring URLs, location, cookies data, device data and identifiers.	Our legitimate interests in detecting, monitoring and preventing fraud and unauthorized service access.

4. Your rights and choices

Depending on your location and subject to applicable law, you may have choices regarding our collection, use, and disclosure of your Personal Data:

a. Opting out of receiving electronic communications from us

If you wish to stop receiving marketing-related emails from us, you can opt-out by clicking the unsubscribe link included in such emails. We'll try to process your request(s) as quickly as reasonably practicable. However, it's important to note that even if you opt out ofr eceiving marketing-related emails from us, we retain the right to communicate with you about the Services you receive (like support and important legal notices) and our Customers and/or Financial Partners might still send you messages or instruct us to send you messages on their behalf.

b. Your data protection rights

Depending on your location and subject to applicable law, you may have the following rights regarding the Personal Data we control about you:

The right to request confirmation of whether Groov is processing Personal Data associated with you, and if so, request access to that Personal Data;
The right to request that Groov rectify or update your Personal Data if it's inaccurate, incomplete, or outdated;
The right to request that Groov erase your Personal Data in certain circumstances as provided by law;
The right to request that Groov restrict the use of your Personal Data in certain circumstances, such as while Groov is considering another request you've submitted (for instance, a request that Groov update your Personal Data);
The right to request that we export the Personal Data we hold about you to another company, provided it's technically feasible;
The right to withdraw your consent if your Personal Data is being processed based on your previous consent;
The right to object to the processing of your Personal Data if we are processing your data based on our legitimate interests; unless there are compelling legitimate grounds or the processing is necessary for legal reasons, we will cease processing your Personal Data upon receiving your objection;
The right not to be discriminated against for exercising these rights; and
The right to appeal any decision by Groov relating to these rights by contacting Groov’s Data Privacy Team at privacy@wearegroov.io, and/or relevant regulatory agencies.

c. Process for exercising your data protection rights

To exercise your data protection rights related toPersonal Data we process as a data controller, contact us as outlined below. For Personal Data we process as a data processor, please reach out to the relevant data controller (Customer) to exercise your rights. If you contact us regarding your Personal Data we process as a data processor, we will refer you to the relevant data controller to the extent we are able to identify them.

5. Security and Retention

We make reasonable efforts to provide a level of security appropriate to the risk associated with the processing of your Personal Data. We maintain organizational, technical, and administrative measures designed to protect the Personal Data covered by this Policy from unauthorized access, destruction, loss, alteration, or misuse. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure.

We encourage you to assist us in protecting your PersonalData. If you hold a Groov account, you can do so by using a strong password, safeguarding your password against unauthorized use, and avoiding using identical login credentials you use for other services or accounts for your Groov account. If you suspect that your interaction with us is no longer secure (for instance, you believe that your Groov account's security has been compromised), please contact us immediately.

We retain your Personal Data for as long as we continue to provide the Services to you or our Customers / Financial Partners, or for a period in which we reasonably foresee continuing to provide the Services. Even after we stop providing Services directly to you or to a Customer that you're doing business with, and even after you close your Groov account or complete your engagement with a Customer or Financial Partner, we may continue to retain yourPersonal Data to:

Comply with our legal and regulatory obligations;
Enable Compliance management activities; and
Comply with our tax, accounting, and financial reporting obligations, including when such retention is required by our contractual agreements with our Financial Partners (and where data retention is mandated by the financing options you've used).

In cases where we keep your Personal Data, we do so in accordance with any limitation periods and record retention obligations imposed by applicable law.

6. International Data Transfer

Whenever we transfer your personal data outside of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.
Where we use certain sub-processors or service providers, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK.

When a data transfer mechanism is mandated by applicable law, we employ one or more of the following:

Transfers to certain countries or recipients that are recognized as having an adequate level of protection forPersonal Data under applicable law.
EU Standard Contractual Clauses approved by the European Commission and the UK International Data Transfer Addendum issued by the Information Commissioner’s Office. You can obtain a copy of the relevant Standard Contractual Clauses.
Other lawful methods available to us under applicable law.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data outside of the UK.

7. Updates and notifications

We may change this Policy from time to time to reflect new services, changes in our privacy practices or relevant laws. The “Last updated” legend at the top of this Policy indicates when this Policy was last revised. Any changes are effective the latter of when we post the revised Policy on the Services or otherwise provide notice of the update as required by law.

We may provide you with disclosures and alerts regarding the Policy or Personal Data collected by posting them on our website and, if you are a Business User, or Authorised User, by contacting you through your Groov Dashboard, email address and/or the physical address listed in your Groov account.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

8. Contact us

If you have any questions about this privacy policy or our privacy practices, please contact us in the following ways:

Email address:
privacy@wearegroov.io

Postal address: 19 Craigcrook Road, Edinburgh, Scotland, EH4 3NQ

In the UK, you have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

If you are a Merchant (i.e., an individual doing business or transacting with a Customer), please refer to the privacy policy or notice of the Customer for information regarding the Customer’s privacy practices, choices and controls, or contact the Customer directly.

Data Processing Agreement

Last updated: 18 March, 2025

This Data Processing Agreement (“DPA”) is subject to and forms part of the Agreement and governs Groov’s and its Affiliates’ Processing of Personal Data.

1. Structure.

As your Groov account is UK based, you enter this DPA with Groov Technology Ltd (“Groov”).

2. Groov as Data Processor and Data Controller.

Data Processing Roles
Groov as a Data Processor	When Groov Processes Personal Data as a Data Processor, it is acting as a Data Processor on behalf of you, the Data Controller.
Groov as a Data Controller	When Groov Processes Personal Data as a Data Controller it: · has the sole and exclusive authority to determine the purposes and means of Processing Personal Data it receives from or through you; and · may engage a Groov Affiliate to act as a Data Processor to provide services
Data Processing Purposes
Groov as a Data Processor	The purposes of Groov’s Processing of Personal Data in its capacity as a Data Processor are to: · service the Groov platform; and · provide, and provide access to, Groov’s products and services.
Groov as a Data Controller	The purposes of Groov’s Processing of Personal Data in its capacity as a Data Controller when providing Groov’s products and services are to: · determine and utilize third parties (Financial Partners, CRAs); · monitor, prevent and detect fraudulent activity on the Groov platform; · monitor, prevent and mitigate financial loss, security risks, and other harm; · implement, maintain and perform internal processes that enable Groov to provide its products and services; · comply with Law, and Financial Partner requirements and requests; and · analyze and develop Groov’s products and services.

Categories of Data Subjects and Personal Data: Groov as a Data Processor and a Data Controller
Data Subjects	Groov may Process the Personal Data of Customers, Merchants, Authorised Users, business contacts and any natural person who accesses or uses the Groov Account.
Personal Data	If applicable, Groov may Process merchant account details, bank account details, billing/shipping address, name, app IDs, email address, phone numbers, IP address/location, order ID, tax ID/status, identity information including government issued documents (e.g., national IDs, driver’s licences and passports).
Duration of Processing
Groov as a Data Processor	For the Term and any period required to perform a party’s post-termination obligations.
Data Security
Groov as a Data Processor and Data Controller	Groov will implement and maintain a written information security program with the Data Security Measures as detailed in the DPA

3. Groov Obligations when Acting as a Data Processor.

3.1. Obligations.

When Groov is acting as a Data Processor for you, Groov will:

(a) Process Personal Data on your behalf and according to your Instructions. Groov will inform you if, in its opinion, Instructions violate or infringe DP Law;

(b) ensure that all persons Groov authorizes to Process Personal Data are granted access to Personal Data on a need-to-know basis and are committed to respecting the confidentiality of that Personal Data;

(c) to the extent required by DP Law, inform you of each request Groov receives from Data Subjects exercising their rights under DP Law to (i) access their Personal Data; (ii) have their Personal Data corrected or erased; (iii)restrict or object to Groov’s Processing; or (iv) data portability (collectively “Data Subject Request”). Other than to request further information, identify the Data Subject, and, if applicable, direct the Data Subject to you as Data Controller, Groov will not respond to these requests unless you instruct Groov in writing to do so. Considering the nature of the Processing, Groov will assist you by appropriate technical and organizational measures, in so far as this is possible, to enable you to meet your obligation to respond to a Data Subject Request;

(d) to the extent required by DP Law, inform you of each law enforcement request Groov receives from a Governmental Authority requiring Groov to disclose Personal Data or participate in an investigation requiring Groov to disclose Personal Data, unless prohibited by Law;

(e) to the extent required by DP Law, provide you with reasonable assistance, following your written request, to help you comply with your obligations under DP Law and, considering the nature of theProcessing and the information available to Groov, Groov will provide reasonable information to help you conduct a data protection impact assessment or consult with a Supervisory Authority. If you request assistance from Groov that goes beyond Groov’s obligations under DP Law or this Agreement, Groov may charge you a reasonable fee;

(f) if Groov experiences a Data Incident, notify you without undue delay, which for Data Incidents affecting Personal Data Subject to the GDPR or UK GDPR will be no later than 48 hours, in each case after becoming aware of the Data Incident. To the extent known to Groov, Groov’s notification to you will describe in reasonable detail (i) the type of Personal Data that was the subject of the Data Incident, (ii) the categories and potential number of individuals or records affected (including their countries), and (iii) the status of Groov’s investigation and current or planned remediation. Following the notification, Groov will provide relevant updates to assist you in complying with your obligations under DP Law;

(g) to the extent required by DP Law and following your written request, contribute to audits or inspections by making audit reports available to you. Following this request, and no more frequently than once annually, Groov will promptly provide documentation or complete a written data security questionnaire of reasonable scope and duration regarding Groov’s and its Affiliates’ Processing of Personal Data. All reports and documentation provided, including any response to a security questionnaire, are Groov’s confidential information; and

(h) at your choice, delete or return to you all Personal Data Processed in connection with the Services, and delete existing copies, following termination of the Agreement, except that Groov will not be required to delete or return that Personal Data, or delete existing copies, to the extent that Groov’s storage of that Personal Data or those copies is (i)required by Groov to exercise its rights and perform its obligations under this Agreement; or (ii) required or authorized by DP Law for a longer period.

3.2. Sub-processors.

(a) Groov engages Sub-processors as necessary to perform the Services. Groov’s list of Sub-processors, which may also include Groov Affiliates, is located at https://www.wearegroov.io/legal/service-providers (“Groov Sub-Processors and Service ProvidersList”). You consent to Groov’s use of its existing Sub-processors and grant Groov a general written authorisation to engage Sub-processors as necessary to perform the Services. Under the terms of our Data Processing Agreement (DPA), you may reasonably object in writing to the processing of its personal data by a new Sub-processor within 30 days following the update of the above page. You acknowledge that Groov’s Sub-processors are essential to provide the Services and that if you object to Groov’s use of a Sub-processor, then not withstanding anything to the contrary in the Agreement (including this DPA), Groov will not be obligated to provide you the Services for which Groov uses that Sub-processor.

(b) Groov will enter into a written agreement with each Sub-processor that imposes on that Sub-processor obligations comparable to those imposed on Groov under this DPA, including the obligation to implement appropriate Data Security Measures. If a Sub-processor fails to fulfil its data protection obligations under that agreement, Groov will remain liable to you for the acts and omissions of its Sub-processor to the same extent Groov would be liable if performing the relevant Services directly under this DPA.

3.3. Disclaimer of Liability.

Notwithstanding anything to the contrary in the Agreement, including this DPA, Groov and its Affiliates will not be liable for any claim made by a Data Subject arising from or related to Groov’s or any of its Affiliates’ acts or omissions, to the extent that Groov was acting in accordance with your Instructions.

4. Your obligations when acting as a Data Controller.

You must:

(a) only provide Instructions to Groov that are lawful;

(b) comply with and perform your obligations under DP Law, including with regard to Data Subject rights, data security and confidentiality, and ensure you have an appropriate legal basis for the Processing of Personal Data as described in theAgreement, including this DPA; and

(c) provide Data Subjects with all necessary information (including by means of offering a transparent and easily accessible public privacy notice) and, where required by DP Law, obtain all necessary consents, regarding Groov’s and your Processing of Personal Data for the purposes described in the Agreement, including this DPA.

5. Groov’s obligations when acting as a Data Controller.

Groov must comply with and perform its obligations under DP Law when Processing Personal Data.

6. Data transfers.

6.1. Cross-border data transfers by you.

You acknowledge that in order for Groov to provide the Services, you transfer Personal Data to Groov Technology Ltd in the United Kingdom. If the transfer comprises Personal Data that requires a Data Transfer Mechanism, the Data Transfers Addendum, as per Schedule 1 which is incorporated into this DPA, will apply.

6.2. Cross-border data transfers by Groov.

Groov and its Affiliates may transfer Personal Data outside United Kingdom as necessary to provide the Services. In particular, Personal Data may be transferred to Groov’s Affiliates and Sub-processors in other jurisdictions.

7. Conflict.

If there is any conflict between:

(a) the provisions of this DPA and any provision of the Agreement regarding Personal Data Processing, the provisions of this DPA will prevail; and

(b) the provisions of this DPA and any provision of the Data Transfers Addendum, the provisions of the Data Transfers Addendum will prevail.

8. Data Security

8.1. Security Programs and Policies.

Groov maintains and enforces a security program that addresses how Groov manages security, including its security controls. The security program includes:

documented policies that Groov formally approves, internally publishes, communicates to appropriate personnel [All (a)Groov employees; and (b) Groov independent contractors who may have access to data, including those who Process Personal Data ((a) and (b), collectively ‘‘Personnel”)] and reviews at least annually;
documented, clear assignment of responsibility and authority for security program activities;
policies covering, as applicable, acceptable computer use, data classification, access control, removable media and remote access; and
regular testing of the key controls, systems and procedures.

8.2. Information Security Policy Framework

Policy Framework.The information security management system is built upon an information security policy framework made up of the following policies:

DP01 Data protection Policy
DP02 Data Retention Policy
IS01 Information Security Policy
IS02 Access Control Policy
IS03 Asset Management Policy
IS04 Risk Management Policy
IS05 Information Classification and Handling Policy
IS06 Information Security Awareness and Training Policy
IS07 Acceptable Use Policy
IS08 Clear Desk and Clear Screen Policy
IS09 Mobile and Teleworking Policy
IS10 Business Continuity Policy
IS11 Backup Policy
IS12 Malware and Antivirus Policy
IS13 Change Management Policy
IS14 Third Party Supplier Security Policy
IS15 Continual Improvement Policy
IS16 Logging and Monitoring Policy
IS17 Network Security Management Policy
IS18 Information Transfer Policy
IS19 Secure Development Policy
IS20 Physical and Environmental Security Policy
IS21 Cryptographic Key Management Policy
IS22 Cryptographic Control and Encryption Policy
IS23 Document and Record Policy
IS24 Significant Incident Policy and Collection of Evidence
IS25 Patch Management Policy
IS26 Cloud Service Policy
IS27 Intellectual Property Rights Policy
IS28 Artificial Intelligence Policy

Compliance. Compliance with the policies and procedures of the information security management system are monitored via the Management Review Team, together with independent reviews by both Internal and External Audit on a periodic basis.

8.3. Security and Data Breaches.

Technical and organizational safeguards. Groov implements technical and organizational measures to ensure an appropriate level of security with respect to Personal Data.‍

Personal Data Breaches. Groov shall inform you without undue delay after becoming aware of any Personal Data Breach. Groov shall (a) provide any information available to Groov that you reasonably need to comply with your obligations under DP Laws and (b), take commercially reasonable steps to contain and investigate any Personal Data Breach.‍

Personnel. Groov will (a) authorize its employees, contractors andSub-processors to access Personal Data only to the extent required for the due fulfilment of this Agreement, (b) implement reasonable controls to verify the reliability of Groov’s employees and contractors to the extent they are involved in the processing of Personal Data and (iv), ensure that all employees, contractors and Sub-processors have agreed to maintain the confidentiality of the Personal Data or are under an appropriate statutory obligation of confidentiality.

8.4. Certifications, Information andAssistance‍

Groov Audits. Groov performs regular audits to verify the adequacy of its security measures. Those audits are carried out (a) at least annually,(b) in accordance with ISO 27001 standards or another substantially equivalent standard, (c) by independent third-party security professionals, (d) at Groov’s expense and results in a report (the “Report”).‍

Verifying Compliance. To allow you to reasonably verify Groov’s compliance with the DPA, Groov undertakes to provide to you the executive summary of the latest Report (on your request).‍

Further Assistance. Groov shall, to the extent required under applicable DP Laws and in accordance with your written instruction in each case, assist you in fulfilling its legal obligations under applicable DP Laws (including contributing to data protection impact assessments and consultations with supervisory authorities). You acknowledge that Groov will provide the Documentation, and the information provided in this Section, and shall exercise its right to further assistance only to the extent it is unable to comply with DP Laws by relying on that information.‍

Confidentiality. Any information provided to you under this Section shall be construed as Groov’s Confidential Information (including information made available about Sub-processors).

8.5. Reviews, Audit Reports and Security Questionnaires

Upon written request, and no more frequently than annually, Groov will complete a written data security questionnaire of reasonable scope and duration regarding Groov’s business practices and data technology environment in relation to the Processing of Personal Data. Groov’s responses to the security questionnaire are Groov’s confidential data.

9. Definitions.

Capitalized terms not defined in this DPA have the meanings given to them in the Agreement.

“Agreement” has the meaning given in the Groov services agreement between you and Groov located at https://www.wearegroov.io/legal/terms.

“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of Processing Personal Data.

“Data Incident” means an unauthorized or unlawful Processing, use, access, loss, disclosure, destruction or alteration of Personal Data in a party’s or its Affiliate’s, or a party’s or its Affiliate’s subcontractor’s, agent’s or business contact’s, possession or control.

“Data Processor” means the entity that Processes PersonalData on behalfnof the Data Controller, which may include, as applicable, a “Service Provider” too.

“Data Security Measures” means technical and organizational measures that are intended to secure Personal Data to a level of security appropriate for the risk of the Processing.

“Data Subject” means an identified or identifiable natural person to which Personal Data relates.

“Data Transfer Mechanism” means a transfer mechanism that enables the lawful cross-border transfer of Personal Data under DP Law, which includes transfer mechanisms that are required under DP Law in the EEA and the UK, such as the the EEA SCCs, the UK International Data Transfer Addendum and any data transfer mechanism available under DP Law that is incorporated into this DPA.

“Data Transfers Addendum” means the data transfers addendum as per Schedule 1 - Data Transfers Addendum (DTA).

“DP Law” meansLaw that applies to Personal Data Processing under the Agreement and this DPA, including international, and local Law relating in any way to privacy, data protection or data security.

“EEA” means the European Economic Area.

“EEA SCCs” means Module 1 (Transfer: Controller to Controller) and Module 2 (Transfer: Controller to Processor) of the standard contractual clauses set out in the European Commission Implementing Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries according to the GDPR.

“GDPR” means General Data Protection Regulation (EU) 2016/679.

“Instructions” means any communication or documentation, including that which may be provided through a Groov API, or Groov Dashboard, or written agreements between you and Groov through which the Data Controller instructs a Data Processor to perform specific Processing of Personal Data for that Data Controller.

“Personal Data” means any information relating to an identifiable natural person that is Processed in connection with the Services, and includes “personal data” as defined under the GDPR.

“Process” means to perform any operation or set of operations onPersonal Data or sets of Personal Data, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying, as described under DP Law.

“Sensitive Data” means,to the extent this data is treated distinctly as a special category of Personal Data underDP Law: (a) Personal Data that is genetic data, biometric data, data concerning health, a natural person's sex life or sexual orientation; (b) data about racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; (c) geolocation data;

“Sub-processor” means an entity a Data Processor engages to Process Personal Data on that Data Processor’s behalf in connection with the Services.

“Supervisory Authority” means an independent public authority which is (i) established by a European Union member state pursuant to Article 51 of the GDPR; or (ii) the public authority governing data protection that has supervisory authority and jurisdiction over you.

“UK GDPR” means the GDPR, as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.

“UK International Data Transfer Addendum” means the international data transfer addendum to the EEA SCCs issued by the United Kingdom’s Information Commissioner's Office.

Schedule 1. Data Transfers Addendum (DTA)

The UK International Data Transfer Addendum, completed and supplemented according to this Data Transfers Addendum, applies to a transfer by you to Groov of Personal Data that is subject to DP Law in the United Kingdom and Processed under your DPA.

Part 1: The Parties

PART 1: THE TABLES

TABLE 1:THE PARTIES

Exporter (who sends the Restricted Transfer)

‍Full legal name (and trading name, if different): The party to the Agreement with Groov or its Affiliate (as applicable).‍
Main address (if a company registered address): The exporter's address.‍
Official registration number (if any) (company number or similar identifier): The exporter's official registration number.‍
Key Contact: The name, position and contact details provided by the exporter.‍
Signature: By using the Services to transfer Personal Data to the importer, the exporter will be deemed to have signed this UK International Data Transfer Addendum.

‍

Importer (who receives the Restricted Transfer)

‍Full legal name (and trading name, if different): Groov Technology Ltd.‍
Main address (if a company registered address): 19 Craigcrook Road, Edinburgh, Scotland,EH4 3NQ.‍
Official registration number (if any) (company number or similar identifier): SC679273.‍
Key Contact: Groov Privacy Team, privacy@wearegroov.io‍
Signature: The importer will be deemed to have signed this UK International Data Transfer Addendum on the transfer of Personal Data by the exporter in connection with the Services.

‍

TABLE 2: SELECTED SCCs, MODULES AND SELECTED CLAUSES

Addendum EU SCCs

the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:

Module	Module in operation	Clause 7 (Docking Clause)	Clause 11 (Option)	Clause 9a (Prior Authorisation or General Authorisation)	Clause 9a (Time period)	Is personal data received from the Importer combined with personal data collected by the Exporter?
1 (C2C)	Yes	n/a	Per Complaints Policy	General Authorisation	30 days	Yes
2 (C2P)	Yes	n/a	Per Complaints Policy	General Authorisation	30 days	Yes
3	No
4	No

‍

TABLE 3: APPENDIX INFORMATION

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

APPENDIX TO MODULE 1 (TRANSFER: CONTROLLER TO CONTROLLER)

ANNEX I

A. LIST OF PARTIES

Data exporter

‍Name: The party to the Agreement with Groov or its Affiliate (as applicable).‍
Address: The data exporter's address.‍
Contact person's name, position and contact details: The name, position and contact details provided by the data exporter.‍
Activities relevant to the data transferred under these Clauses: Processing Personal Data in connection with the data exporter's use of the Services under the Agreement.‍
Role (controller/processor): Controller‍
Signature and date: By using the Services to transfer Personal Data to the data importer, the data exporter will be deemed to have signed this Annex I.

‍

Data importer

‍Name: Groov Technology Ltd.‍
Registered office: 19 Craigcrook Road,Edinburgh, Scotland, EH4 3NQ.‍
Contact details: Groov Privacy Team, privacy@wearegroov.io‍
Activities relevant to the data transferred under these Clauses: Processing Personal Data in connection with the data exporter's use of the Services under the Agreement.‍
Role (controller/processor): Controller‍
Signature and date: The data importer will be deemed to have signed this Annex I on the transfer of Personal Data by the data exporter in connection with the Services.

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

The Personal Data transferred concern the following categories of Data Subjects:

Users of the data importer's services.
The data exporter's Merchants, Business Contacts and any natural person who accesses or uses the data exporter's Groov Account.

Categories of personal data transferred

The categories of Personal Data transferred are described in the DPA.

The frequency of the transfer (whether the data is transferred on a one-off or continuous basis).

The frequency of the transfer is a continuous basis for the duration of the Agreement until the Personal Data is deleted in accordance with the Agreement, including the DPA.

Nature of the processing

The nature of the processing is described in the DPA.

Purpose(s) of the data transfer and further processing

The purposes of the data transferare described in the DPA.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The period for which the personal data will be retained is set out in the Agreement and the DPA.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The subject matter and nature of the processing are described in the Agreement and the DPA. Subject to the data retention and deletion provisions of the Agreement and the DPA, the duration of the processing is the duration of the Agreement.

C. COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority in accordance with Clause 13 of the EEA SCCs is the Information Commissioner's Office (ICO), UK.

ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The data importer will maintain and implement the technical and organizational measures set out in the Data Security Clause of the DPA.

‍

APPENDIX TO MODULE 2 (TRANSFER: CONTROLLER TO PROCESSOR)

ANNEX I

A. LIST OF PARTIES

Data exporter

‍Name: The party to the Agreement with Groov or its Affiliate (as applicable).‍
Address: The data exporter's address.‍
Contact person's name, position and contact details: The name, position and contact details provided by the data exporter.‍
Activities relevant to the data transferred under these Clauses: Processing Personal Data in connection with the data exporter's use of the Services under the Agreement.‍
Role (controller/processor): Controller‍
Signature and date: By using the Services to transfer Personal Data to the data importer, the data exporter will be deemed to have signed this Annex I.

Data importer

‍Name: Groov Technology Ltd.‍
Registered office: 19 Craigcrook Road,Edinburgh, Scotland, EH4 3NQ.‍
Contact details: Groov Privacy Team, privacy@wearegroov.io‍
Activities relevant to the data transferred under these Clauses: Processing Personal Data in connection with the data exporter's use of the Services under the Agreement.‍
Role (controller/processor): Processor‍
Signature and date: The data importer will be deemed to have signed this Annex I on the transfer of Personal Data by the data exporter in connection with the Services.

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

The Personal Data transferred concern the following categories of Data Subjects:

Users of the data importer's services.
The data exporter's Merchants, Business Contacts and any natural person who accesses or uses the data exporter's Groov Account.

Categories of personal data transferred

The categories of Personal Data transferred are described in the DPA.

The frequency of the transfer (whether the data is transferred on a one-off or continuous basis).

The frequency of the transfer is a continuous basis for the duration of the Agreement until the Personal Data is deleted in accordance with the Agreement, including the DPA.

Nature of the processing

The nature of the processing is described in the DPA.

Purpose(s) of the data transfer and further processing

The purposes of the data transfer are described in the DPA.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The period for which the personal data will be retained is set out in the Agreement and the DPA.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

C. COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority in accordance with Clause 13 of the EEA SCCs is the Information Commissioner's Office (ICO), UK.

ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The data importer will maintain and implement the technical and organizational measures set out in the Data Security Clause of the DPA.

ANNEX III

LIST OF SUB-PROCESSORS

The controller has generally authorized the engagement of the Sub-processors at https://www.wearegroov.io/legal/service-providers

TABLE 4: ENDING THIS ADDENDUM WHEN THE APPROVED ADDENDUM CHANGES

The importer and the exporter may end this UK International Data Transfer Addendum as set out in Section 19 o fthis UK International Data Transfer Addendum.

Part 2: Mandatory Clauses

PART 2: MANDATORY CLAUSES

Entering into this Addendum

1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.

2. Although Annex 1A and Clause 7of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in anyway that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of theApproved EU SCCs.

Interpretation of this UK International Data Transfer Addendum

3. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:

(a) "Addendum" means this International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.

(b) "Addendum EU SCCs"means the version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information.

(d) "Appropriate Safeguards" means the standard of protection over the personal data and of data subjects' rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.

(e) "Approved Addendum"means the template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎18.

(f) "Approved EU SCCs"means the Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

(g) "ICO" means the Information Commissioner.

(h) "Restricted Transfer" means a transfer which is covered by Chapter V of the UK GDPR.

(i) "UK" means the United Kingdom of Great Britain and Northern Ireland.

(j) "UK Data ProtectionLaws" means all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.

(k) "UK GDPR" has the meaning given to it in section 3 of the Data Protection Act 2018.

4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties' obligation to provide the Appropriate Safeguards.

5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.

6. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.

7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.

8. Any references to legislation(or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

Hierarchy

9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section ‎10 will prevail.

10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.

11. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then theParties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.

Incorporation of and changes to the EU SCCs

12. This Addendum incorporates theAddendum EU SCCs which are amended to the extent necessary so that:

(a) together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter's processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;

(b) Sections ‎9 to ‎11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and

(c) this Addendum (including theAddendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.

13. Unless the Parties have agreed alternative amendments which meet the requirements of Section ‎12, the provisions of Section ‎15 will apply.

14. No amendments to the Approved EU SCCs other than to meet the requirements of Section ‎12 may be made.

15. The following amendments to the Addendum EU SCCs (for the purpose of Section ‎12) are made:

(a) References to the"Clauses" means this Addendum, incorporating the Addendum EU SCCs;

(b) In Clause 2, delete the words:

"and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU)2016/679";

"The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter's processing when making that transfer.";

(d) Clause 8.7(i) of Module 1 is replaced with:

"it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer";

(e) Clause 8.8(i) of Modules 2 and3 is replaced with:

"the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;"

(f) References to "Regulation(EU) 2016/679", "Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)" and "that Regulation" are all replaced by "UK Data Protection Laws". References to specificArticle(s) of "Regulation (EU) 2016/679" are replaced with the equivalent Article or Section of UK Data Protection Laws;

(g) References to Regulation (EU)2018/1725 are removed;

(h) References to the"European Union", "Union", "EU", "EU MemberState", "Member State" and "EU or Member State" are all replaced with the "UK";

(i) The reference to "Clause 12(c)(i)" at Clause 10(b)(i) of Module one, is replaced with "Clause 11(c)(i)";

(j) Clause 13(a) and Part C ofAnnex I are not used;

(k) The "competent supervisory authority" and "supervisory authority" are both replaced with the "Information Commissioner";

(l) In Clause 16(e), subsection(i) is replaced with:

"the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;";

(m) Clause 17 is replaced with:

"These Clauses are governed by the laws of England and Wales.";

(n) Clause 18 is replaced with:

"Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts."; and

(o) The footnotes to the ApprovedEU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and11.

Amendments to this Addendum

16. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of England.

17. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.

18. From time to time, the ICO may issue a revised Approved Addendum which:

(a) makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or

(b) reflects changes to UK Data Protection Laws;

The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.

19. If the ICO issues a revised Approved Addendum under Section ‎18, if any Party selected in Table 4 "Ending the Addendum when the Approved Addendum changes", will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:

(a) its direct costs of performing its obligations under the Addendum; and/or

(b) its risk under theAddendum,

and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.

20. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.

‍

Cookie Policy

Last updated: Mar 03, 2025

This Cookie Policy describes how Groov Technology Ltd (“Groov”) uses “cookies” and other similar technologies, in connection with our Site andServices. Any capitalized term used and not otherwise defined below has the meaning assigned to it in the Privacy Policy.

1. What is a Cookie?

Cookies are small text files that are stored in ac omputer's browser directory. They help site providers with things like understanding how people use a site, remembering a User's login details, and storing site preferences. Groov uses cookies as well as similar technologies(e.g., URL tracking, local storage). For the purpose of this Cookie Policy, such technologies are included in the term ‘cookies’.

2. Does Groov use Cookies?

Yes. We use cookies in accordance with our Privacy Policy to:

ensure that our Services function properly,
detect and prevent fraud and violations of our terms of service,
understand how visitors use and engage with our Site,
advertise our products and Services, where allowed and
analyze and improve our Services and your Site experience including improved relevancy and navigation, customizing your user experience, and curating content about Groov and our Services that's tailored to you.

3. Who sets Cookies when I use Groov's Site?

There are two main types of cookies that can be set:

First party cookies: these cookies are placed and read by Groov directly when you use our Services,
Third party cookies: these cookies are not set by Groov, but by other companies, like Google or Facebook, for site analytics purposes. See further details below on how to manage these cookies.

4. How Groov uses Cookies

Cookies play an important role in helping us provide effective and safe Services. Below is a description of the commonly used cookie types and the purposes that apply to them. Each section references Groov’s Cookie Preferences Settings Dashboard, where you can find more information about each cookie, including the types and duration of each cookie, and exercise your choices.

Groov distinguishes between 4 different types of cookies:

Strictly Necessary Cookies (Always Active)
Analytics
Marketing
Personalization

4.1. Strictly Necessary Cookies

Some cookies are essential to the operation of our Site and Services and make it usable and secure by enabling basic functions like page navigation and access to secure areas of the Site. As these are required to enable basic website functionality, they will mandatorily be Active/Enabled.

4.2. Analytics Cookies

Analytics cookies help us understand how visitors interact with our Services. We use those cookies in a number of different ways, including:

‍To Analyze and Improve Our Services. To make our Site and Services work better for You. Cookies help us understand how people reach our Site and our Users' sites. They give us insights into improvements or enhancements we need to make to our Site and Services.‍
Third Party Analytics. Through Google Analytics in order to collect and analyze information about the use of the Services and report on activities and trends. This service may also collect information regarding th euse of other sites, apps and online resources. You can learn about Google's practices on the Google website.

4.3. Marketing Cookies

We and our service providers will use cookies and similar technologies on wearegroov.io to deliver advertising that is more relevant to you and your interests through targeted advertisements for Groov Services on other sites you visit and to measure your engagement with those ads.

4.4. Personalization Cookies

Personalization cookies are used by Groov to remember your preferences and to recognize you when you return to our Services allowing the website to remember choices you make (such as your user name, language, or the region you are in). We use those cookies in a number of different ways, including:

‍Site Features and Services. To remember how you prefer to use our Services so that you don't have to reconfigure your settings each time you log into your account.

5. Can I opt-in and opt-out?

Yes. Groov uses cookies in accordance with applicable law and depending on the country or jurisdiction you are located in, Groov will ask for your prior consent before non-strictly-necessary cookies are being used, or offer you the option to opt-out of non-strictly-necessary cookies.

You can opt-out of non-strictly-necessary cookies through our Cookie Preferences Settings Dashboard.

Your web browser may also allow you to manage your cookie preferences, including to delete and disable Groov cookies. You can take a look at the help section of your web browser or follow the links below to understand your options. If you choose to disable cookies, some features of our Site orServices may not operate as intended.

‍