T Leasing Co., Ltd respects and prioritize the right of privacy and personal protection of customers, business counterparts, business alliance and stakeholders. T Leasing Co., Ltd is determined to protect personal data of customers in collecting, using disclosing, sending and/or transferring personal data of customers to a third party, protect personal data of customers from misuse and keep such data safe according to international standards in order to receive trust and confidence from customers in managing personal data. Therefore, this policy is made as follows.

1. Definitions In this Privacy Policy

In this privacy policy, the following words or expressions shall have the meaning as follows:

2. General

This Privacy Policy is prepared to provide details and the procedures to protect and manage your Personal Data. The Company may from time to time update or revise this Privacy Policy either in whole or in part including those that are specifically set forth in any part of this Website or Application, to make it correspond with the changing service guidelines and regulations of the law. Therefore, you are advised to keep abreast of this Privacy Policy. The Company will publish changes to this Privacy Policy on this Web page or Application. If there is any significant change to our Privacy Policy, we will inform you without delay.

This Privacy Policy is intended to apply to

1) Providing hire-purchase service, hire-leasing, financial service and other credit services

2) Registration for use of the Application;

3) Use of our services or purchase of our products, access to and use of any content, features, technology or functionality featured on this Website or Application; and

4) Other related services including the Company’s other services both currently existing and those to be developed or provided in the future;

5) Services to holders of all types of securities of the Company, creditors, business alliances and stakeholders of the Company except Company employees.

The Company will retain the Customer's Personal data for the period necessary to comply with the purposes outlined in this Privacy Policy and collect personal data from customers when the Customer provides the Customer's data for the leasing of motorcycles and/or other related services including identity verification data, name, email address, telephone number, residence, address for sending customer invoices, and personal documents necessary to make a loan. In addition, the Company collects other relevant data, such as data about customers' use of credit services, other products and/or services related to the Company, data about customer motorcycles (“motorcycles”) including the performance, condition and position of the motorcycle. Data about the customer's driving behavior, data provided by the customer to apply for the service, such as car insurance of the customer's choice, or other data only to the extent necessary for the case (collectively, “Personal data”) The Company and its third-party service providers may use technology to collect and link data or any other data obtaining the consent of customers in accordance with this Policy.

2.1 The Company's legal obligations

Since the Company is regulated and must comply with relevant laws and regulations. Therefore, the Company is required to collect, use or disclose customer's personal data for various purposes in order to comply with laws and regulations of government agencies and/or the entities responsible for supervising the Company, including but not limited to the following purposes:

a) To comply with the Personal Data Protection Act.

b) To comply with laws (e.g., business laws, financial institutions, Securities and Exchange Act, Anti-Money Laundering Laws, laws preventing and suppressing financing of terrorism and the proliferation of weapons of mass destruction and other laws that the Company must comply with both in Thailand and abroad) and/or

c) To comply with regulations and/or orders of authorized persons (e.g., court orders, orders of government agencies, regulatory bodies, or authorized officers);

2.2 Contracts made by customers with the Company

The Company will collect, use or disclose customer's personal data only if the customer has consented to the Company for the following purposes:

a) Process the client's request before entering into a contract with the Company, approval of the provision of products and/or services and the delivery of products and/or services to customers. This includes any action taken by the Company which, if not carried out, will affect the Company's operations or services or will not be able to provide fair and continuous services.

b) Verify your identity in any transaction.

c) Carry out customer orders (e.g., for the execution of requests regarding car leasing and other liquidity loans, request for issuance of insurance letter, a letter of financial evidence or a request for repayment of a debt or a change in the customer's insurance policy or a response to a customer's questions.

d) Providing services to the Company through online banking, mobile applications and other online product platforms.

e) Track or record customer transactions

f) Prepare reports (e.g., transaction reports requested by customers or internal reports of customers).

g) Transaction Alerts

h) repay debts owed by the Customer to the Company (e.g., in the event that the Customer has not repaid the hire-purchase debt and/or unpaid fees) and/or

i) Take any action in connection with the insurance policy or claim (e.g., evaluate the customer's insurance request, bid for premiums, deliver the insurance policy to the customer, process or pursue the claim under the customer's insurance policy, to exercise the claim against a third party.

2.3 Legitimate interests of the Company

The Company will rely on the legitimate interests, taking into account the interests of the Company or of other persons and the fundamental rights in the personal data of customers that the Company will collect, use or disclose including, but is not limited to, the following purposes:

a) Manage the company's business and those of its group companies (e.g., supervise, manage risks, monitor, prevent and monitor fraud, money laundering, terrorism, immoral behavior or other crimes including, but is not limited to, checking the credibility of any person in connection with the Company's corporate clients.)

b) Manage the relationship between the company and the customer (e.g., take care of customers, assess satisfaction, handle complaints)

c) Maintain security (e.g. CCTV recording, registration, card exchange, and/or recording of contacts before entering the company's building)

d) Develop and improve products and/or services, including the Company's systems, to raise the company's service standards and/or to maximize the benefits of meeting customer needs.

e) Record images and/or audio relating to meetings, trainings, seminars, recreation or marketing promotion activities and/or

f) In the case of corporate customers of the Company, the Company will collect, use and disclose the personal data of directors, authorized person to act on behalf of or agent.

2.4 Customer’s consent

It is necessary for the company to obtain the consent of the customer to collect, use or disclose customer's personal data in order to maximize the benefits of customers and/or to enable the Company to provide services that meet the needs of customers for the following purposes:

a) Collect and use all personal data used to verify identity, sensitive personal data (e.g. using face recognition data) or a photo of the customer's ID card (which contains the customer's sensitive personal data including religion and/or blood type) To prove and verify the customer's identity prior to the transaction.

b) Collect and use customer personal data and any data to research and analyze in the best interests of developing products and services that truly meet customer needs and/or contacting customers to offer customers specific products, services and benefits.

c) Send or transfer customer's personal data to foreign countries only where necessary and adequate data security standards are required (unless the Personal Data Protection Act requires that it be carried out without consent) and/or

d) In case the client is a minor, incompetent people, quasi-incompetent people, they must obtain parental consent, guardian or protector (as the case may be) expressly and parent, guardian or protector consent to provide necessary data to allow any action taken by minors, incompetent people, quasi-incompetent people in order to effect an action.

2.5 Other legal bases

In addition to the above legal bases, the Company may collect, use or disclose customer personal data under the following other legal bases:

a) Document history or archives in the public interest, or in relation to research studies or statistics.

b) It is necessary for the performance of duties in the performance of tasks in the public interest or for the exercise of the powers of the authorities.

3. Personal data collected by the Company

In this Privacy Policy, "Personal data" means data about an individual which enables the identification of that person, whether directly or indirectly, or as defined in applicable personal data protection laws. The Company collects, uses and discloses your Personal Data (which may include sensitive personal data) based on interactions we have with you, which may include, but is not limited to, the following:

• Personally identifiable data such as first name, last name, date of birth, age, photo, gender, marital status, nationality, tax ID number, signature, fingerprint
• Contact data such as house registration address, postal delivery address, work address, social network addresses, telephone number, fax number, email address. and other similar data, any other contact details and any other data about me that has been provided or arising from the use of services with the Company and/or other affiliates of the Company.
• Data in government-issued documents such as data and/or copies of ID cards Passport, driver's license, juristic person certificate
• Data to create user profiles for the company's use of various application services, such as usernames, passwords, or PIN's.
• Leasing vehicle data, such as your vehicle identification number (VIN) and date of urchase, engine number, chassis number, vehicle registration book
• Product and service data, such as service history and payment of installments, products and/or services used by you; Customer service or technical support Product ID, date and place of purchase Customer status, ability to obtain loans, data and behaviors using products and services, leasing contract details
• Financial data such as income, sources of income, expenditures, bank account numbers, details about bank account movements, installment payment data, credit data
• Data about work and work or business history, such as level of education, occupation, details about employers, details about businesses, photos of establishments, position, salary and/or compensation and/or income from business operations, proof of occupation (e.g. employee ID card, civil servant card), work income clarification document.
• Data from T Leasing Application
• Details about connecting to the T Leasing or T Leasing website Applications, such as your operating system, your browser type (for visiting the company's website) ,details of the device you are using (e.g. your device serial number, identification number and MAC Address) and the geographical location of the connection, any other data you send to the Company in connection with the T Leasing Website or T Leasing App, such as your signature, photograph, comments and location.
• Details about visiting the T Leasing or T Leasing website Applications such as the time of visit, the duration of connection and use of the T Leasing websites or T Leasing Applications such as the items you click on and your requests.
• Data about market research, such as customer surveys, data and opinions expressed when participating in market research, as well as details of your services and needs. (e.g., experience in using the Company's services, plans to buy a car in the future), as well as comments and complaints about using the service.
• Data required to comply with the law and/or legal requests of law enforcement agencies and/or court orders, such as data about fact-checking. (Customer Due Diligence) or data related to customer acquaintance (KYC) , consumer complaints. Data about your civil or criminal proceedings relating to products and services (if any).
• Security data, such as images, images of people, record from CCTV cameras, which can be both still images, movies, and audio.
• Data about insurance policies and claims related to products and services, such as insurance policy numbers.
• Any other data from your device and technology. The Company and its third-party service providers use technologies that collect and provide data about the use of the Company's website or applications. In addition, the Company may automatically collect your IP address or unique identifier for any mobile device, computer, technology or other device (collectively, the "Device") that you use to access the Company's website or online services [or applications] of the company. Usually, the signal connection, types of browsers Operating system, other technologies on the device you use, cookies and other similar technologies, usage data and device-specific data cannot be linked to you specifically. However, if the Company can link that data or any other data to you, then The Company will treat this data as your personal data in accordance with this Privacy Policy.
• Sensitive personal data, such as health data, disability data Criminal record data (statutory offense data) and biometric data
• Other data, such as records of interactions and communications between you and the Company, in any form or means, personal data of third parties that you provide to the Company regarding the use of its products and services or for the purpose of referring customers, any other data you provide or arising from the use of services with the Company and/or other affiliates of the Company through any channels.

The Company may collect, use, disclose, send and/or transfer data other than your Personal Data or personal data that has been made available in an unidentifiable form such as technical data about the vehicle, its use, the coordinates of the vehicle, the status, performance and condition of the vehicle, the air bag status of the vehicle, the history of the vehicle's service, keywords used to find directions, vehicle travel records, including any other data provided or arising from the use of services with the Company and/or other affiliates of the Company.

In the event that the Company has used data other than personal data in the examples mentioned above, together with personal data relating to you which your identity is identifiable. In such cases, the Company will treat data other than personal data, just as the Company treats personal data related to you.

4. Personal data of other third parties

The Company may collect personal data as stated above by other third parties, such as those you have identified for debt collection purposes, your family, relatives, friends, or any other person you have informed or advised of the Company; If you have provided the Company with such person's personal data. You represent and warrant that you have obtained the consent of the actual data subject and that such data is factually accurate and that you have done the following:

a. Notify them of this Privacy Policy.

b. obtain consent where required by law or can rely on other legal basis necessary to enable the Company to use personal data in accordance with this Privacy Policy in accordance with the law, and

c. Verify the accuracy and completeness of the Personal Data you provide and notify the Company of changes to the Personal Data provided. As mentioned above. If the actual consent of the data subject is incorrect, or the data provided does not match the reality, causing the inability to take any further action, it will be deemed to have ended immediately and the informant shall be liable for damages arising from the concealment or provision of completely false data (if any).

5. Sources of customer personal data

The Company collects personal data directly from customers, but in some cases, the Company may obtain personal data from other sources which the Company will act in accordance with the Personal Data Protection Act. Personal data collected by the Company from other sources as follows

a) Data received by the Company from companies in the financial business group of business partners and/or any other persons with whom the Company has a legal relationship.

b) Data received by the Company from persons associated with the Client (e.g., the client's family, friends, referrals).

c) Data received by the Company from business customers as the client is a director authorized agent, or assigned person or contacts

d) Data received by the Company from government agencies, the agency responsible for overseeing financial institutions, credit data companies and/or third-party service providers (e.g., publicly available data; transaction data, credit data) and/or

e) Data received by the Company from the insurer and/or any other person in connection with the insurance policy or claim.

6. Personal data Keeping Period

The Company will retain the Client's Personal data during the Client's tenure and when the Client terminates its relationship with the Company (e.g., after the Client closes an existing account with the Company, or since the Transaction with the Company, or if the Company refuses the Customer's request for services; or the customer’s request to end the service use of the company) The Company will collect the Customer's Personal Data for a reasonable period of time and necessary for each type of personal data and the purposes prescribed by the Personal Data Protection Act. The Company will retain the Company's personal data according to the validity or period specified by applicable law (e.g., business law, financial institutions, Securities and Exchange Act, Anti-Money Laundering Laws, Laws preventing and suppressing financing of terrorism and the proliferation of weapons of mass destruction, Accounting Law, Taxation Law, labor law and other laws that the Company must comply with both in Thailand and other countries. In addition, the Company may be required to record data from CCTV cameras at the Company's head office, branches or ATMs and/or record audio services through the Call Center to prevent fraud and security, as well as to monitor suspicious transactions that customers or related persons may report to the Company.

7. Use of personal data for its original purposes

The Company has the right to collect and use the personal data of customers that the Company has collected prior to the date on which the Personal Data Protection Act in relation to the collection, use and disclosure of personal data is in force for the original purposes. If the Customer does not wish to have the Company collect and use such personal data, the Client may notify the Company to withdraw the Customer's consent at any time.

8. Purposes of use or disclosure of collected Personal Data

The Company uses or discloses the collected Personal Data for the following purposes.

8.1 To ensure that the services are used in an orderly manner and in accordance with the applicable laws, rules and regulations including for compliance with legal obligations and rules relating or applicable to the Company both now in force and those to be amended or added in the future.

8.2 To verify your identity or identify you when accessing the services, entering into contracts, performing the contracts and providing services to you to ensure that the aforementioned services and all communications from the Company are secure and confidential.

8.3 To verify data on the services you use in accordance with the safety and security standards for the service system, management and protection of data technology infrastructures. We may use your Personal Data only as necessary and may encrypt the data before use and/or conduct random checks and testing against third-party access for risk management, detecting, preventing or eliminating fraud or other activities that may violate the law, related regulations or the terms and conditions of use of our Website or Application and to improve and develop safety standards and system security.

8.4 To develop products and services and increase efficiency in providing services to you.

8.5 To contact you via social media network, telephone, SMS, e-mail, postal mail, or through any other channel for inquiries or informing you of or checking and verifying your account data or feedback survey or informing you of data related to our services to the necessary extent.

8.6 To process and analyze any other benefits associated with the Company's business operations, such as for setting up and managing accounts, delivering marketing communications and educational activities, research, preparing statistics, surveying, researching and developing products and services, improving services, preparing and delivering marketing or advertising data within the Group or for relevant targets including content delivery, advertising and public relations, activities and promotions as well as providing appropriate advice in order to customize services to meet your interests, personalize business content, or user experiences, prevent fraud as well as complying with the law and internal audit requirements.

8.7 To prevent or avoid any danger to your life, body or health including your property or where it is necessary for us to perform our duties for the public interest or for exercising the power of the state given to us or our employees or representatives or to comply with the law.

8.8 To engage in co-marketing activities with the MBK Group, subject to the prior consent of the data subject for the purposes of

1) communicating, giving data or recommending products or services 2) offering promotional items, marketing activities, discounts, promotions and benefits from the Company and/or our Business Partners, and 3) data processing and analytics, customer profiling in order to offer a good or appropriate personalized experience, or that which may be of your interest through the Loyalty/Reward Program.

9. Disclosure of personal data

The Company may disclose customer personal data to the following persons or organizations, Under the rules of the Personal Data Protection Act

a) Companies in the Company's financial business group Business partners and/or any other persons with whom the Company has legal relations, including directors, executives, employees, personnel, contractors, agents, consultants of the Company and/or of such persons.

b) Government agencies and/or agencies responsible for overseeing the Company (e.g., the Office of the Consumer Protection Commission; Company of Thailand Securities and Exchange Commission, Office of Insurance Commission Ministry of Digital Economy and Society)

c) Suppliers, agents, or other organizations (such as professional associations of which the Company is a member, independent auditors, securities depository, archivals, foreign financial institutions, and clearinghouses) for which the disclosure of personal data of clients is intended for a specific purpose and under legal basis and appropriate safety measures.

d) Persons involved in the sale of claims and/or assets, reorganizations or mergers of companies to which the Company may require the transfer of rights to such entities, including persons with whom the Company is required to share data for the sale of claims and/or assets, reorganization, transfer of business Financial agreements, dispositions of assets or any other transactions relating to the business and/or assets used in the operation of the Company's business.

e) Companies and other financial institutions, including third parties where the data is required by law to enable such person to receive a refund in the event of a misappropriation of funds into the client's account, or a financial line check in the event that the client is a victim of a financial crime, or in the event that suspected money enters the client's account for a financial crime.

f) Debt collection agents, lawyers, credit data companies, fraud prevention agencies, courts, agencies, or any person designated by the Company or authorized to disclose personal data in accordance with the law, regulations or directives

g) Third parties who provide services to the Company (such as marketing analysis and comparisons, including but not limited to correspondent banking, agents or subcontractors acting on behalf of the Company, such as companies that publish and deliver credit card statements);

h) To display messages to customers and other persons about their products and services, third-party advertising companies may use their online activity history data to allocate advertising that may interest them.

i) Third-party collateral providers

j) Any other person who provides benefits or provides services related to customer products or services (e.g., insurance companies) and/or

k) Delegates Sub-delegates, agents, or legitimate representatives of clients with legitimate authority.

10. Access and update of Personal Data

11. Personal data of minors, incompetent people and quasi-incompetent people.

If the Company becomes aware that the Personal Data that requires consent to be collected belongs to the Data owner who is a minor, incompetent people or quasi-incompetent people, the Company will not collect such personal data until the consent of the person with custody power is obtained on behalf of the minor or the guardian or protector as the case may be. This is subject to the conditions stipulated by law. If the Company does not know that the owner of the personal data is a minor and it was later discovered that the Company had collected the data of the owners of such personal data without the consent of the person with custody power who can act on behalf of minors or guardians, as the case may be, the Company will take steps to delete and destroy that personal data as soon as possible if the Company has no legitimate cause other than consent to collect, use or disclose such data;

12. Security measures for the storage of Personal Data

The Company takes the security of your Personal Data very seriously. We use a range of security measures including a safe and appropriate system to collect, use or disclose Personal Data, to protect your Personal Data against loss, unauthorized use, access, modification or disclosure. Also, we limit access to your Personal Data to our employees, agents, contractors and third parties who have a need to obtain the data and oblige them to only process your Personal Data under the conditions set forth by the Company.

In addition, we will keep the Personal Data for the purposes of which we have notified you, as the data subject, and in accordance with the law. If we hire a third party to process your Personal Data, we will select a company whose data protection system meets the required standard and enter into an agreement with them regarding the storage of Personal Data in accordance with the Company privacy policy as well.

If a breach of your Personal Data occurs, we will notify the Office of the Personal Data Protection Commission without delay and within 72 hours of the knowledge of the cause as far as possible unless the breach poses no risk, affecting your rights and freedoms. Where the breach carries a high risk, affecting your rights and freedoms, we will notify you of the breach with remedial guidelines without delay.

13. Use of Cookies

The company may collect and use cookies and similar technologies. When a customer uses the Company's products and/or services, including the use of the Website, financial transactions via the Internet and the Company's applications. The collection of cookies and similar technologies helps the Company to recognize its customers, to know customers' preferences and improve how the Company will offer products and/or services to customers. The Company may use cookies for various purposes (e.g., providing basic functionality, helping the Company understand how customers use the Company's website or email, enabling the Company to provide a better online experience or communication with customers and to ensure that the online advertising materials shown to customers are more relevant and appealing to them.)

14. Linking to third-party websites, applications, products and services

The Company's Website may contain links to third-party websites, products and services. Those third parties may collect certain data about the services that you use. The Company cannot be held responsible for the security or privacy of any of your personal data collected by such third party websites, products or services. Therefore, you should exercise caution and review the privacy policies of those third party websites, products and services.

15. Application of Personal Data Protection Policy

This Privacy Policy applies to all Personal Data collected, used and disclosed by the Company. You agree and acknowledge that the Company has the right to collect the Personal Data and use or disclose the collected Personal Data (if any) as well as your Personal Data currently collected by the Company and that to be collected in the future, to other parties within the scope of this Privacy Policy.

16. Policy review

With good governance and social responsibility, the Company and relevant departments will review this Privacy Policy at least once a year.

17. Governing law and jurisdiction

This Privacy Policy is governed by and construed in accordance with the laws of Thailand and the Thai court shall have the jurisdiction to decide any disputes that may arise.

18. Contact channels

If you have any queries or questions about the Privacy Policy, you can contact us through the following channels:

Send a letter to MBK Public Company Limited to No. 444, 8th Floor, Building MBK Center Phayathai Road Wang Mai Pathumwan Bangkok 10330

or call MBK Contact Center: (66) 2832-2555

E-mail: [email protected]

The Company has assigned and appointed Ms. Sirikanlaya Paungthong to act as the Data Protection Officer to have the power and duties of the Data Protection Officer as stipulated by the Personal Data Protection Act, B.E. 2562 and to act as the Company’s Data Protection Coordinator.

Contact address: MBK Public Company Limited, No. 444, 8th Floor, Building MBK Center Phayathai Road Wang Mai Pathumwan Bangkok 10330

Tel: (66) 2832-2555

E-mail: [email protected]

If there is a complaint about the Company, its staff or employees violating or failing to comply with the law, you as a data subject may lodge a complaint to the supervisory authority as follows:

Office of the Personal Data Protection Committee

Contact address: 7th Floor, Rattaprasasan Phakdi Building, 80th Anniversary Government Center, Chaengwattana Road, Thung Song Hong Sub-District, Lak Si District, Bangkok 10210

The complaint must be filed within the time limit prescribed by law.

By the resolution of the company board of directors
Announced on 13 May 2020

Mr. Mongkol Phianphithakkit
Director