PRIVACY STATEMENT (VERSION JANUARY 2026)

This Privacy Statement explains in a simple and transparent way how Primo Advisors Limited (in this Privacy Statement, “us”, “we” and “our”) collects, uses and discloses your personal data, and your rights in relation to the personal data it holds. Our approach can be summarized as: the right people use the right data for the right purpose.

We are the data controller of your personal data and are subject to the DIFC Data Protection Law (DIFC Law no 5 of 2020), DIFC Data Protection Regulations and ADGM Data Protection Regulations 2021 (hereafter referred to as the “Data Protection Law”).

This Privacy Statement supersedes any previous Privacy Statement or equivalent which you may have been provided with or seen prior to the effective date stated above.

This Privacy Statement applies to Primo Advisors Limited, including its entity in the Dubai International Financial Centre (DIFC) and its branch in the Abu Dhabi Global Market (ADGM). It covers:

• Our past, present and prospective customers; and
• Anyone involved in any transaction or interaction with us, whether it is in your personal capacity or as a representative of a legal entity (for example, director, a company manager, agent, legal representative, operational staff, other authorized representative, etc.)

We obtain your personal data as follows:

• From the information you provide to us when you meet or interact with us
• From information about you provided to us by your company or an authorized intermediary
• When you communicate with us by telephone, email, web form or other forms of electronic communication. In this respect, we may monitor, record and store any such communication
• When you complete (or we complete on your behalf) client on-boarding or application or other forms
• From your agents, advisers, and intermediaries; or
• From publicly available sources or from third parties, most commonly where we need to conduct background checks about you.

We collect the following categories of personal data about you:

• Your name and contact information such as your home or business address, email address, telephone number and social media contact details
• Biographical information which may confirm your identity including your date and place of birth, your passport number or national identity card and visa details, country of domicile and/or your nationality
• An understanding of your goals and objectives in procuring our services
• Information about your employment, education, family or personal circumstances, and interests, where relevant; and
• Where applicable and legally permissible audio-visual data such as surveillance videos, recording of phone or video calls or chats with our employees or offices.

Special categories of personal data are data relating to your religious beliefs, genetic or biometric data. We may process your special categories of personal data if:

• We have your explicit consent to do so; or
• We are required or allowed to do so by applicable local law (for instance to comply with money laundering and terrorism financing monitoring: we monitor your activity and may report it to the competent regulatory authorities).

Processing means every activity that can be carried out in connection with personal data such as collecting, recording, storing, adjusting, organizing, using, disclosing, transferring or deleting it in accordance with applicable laws.

We only use your personal data under one of the following legal grounds:

• - To conclude and carry out a contract with you;
• - To comply with our legal obligations; 
• - When we have your consent. In this case, you may withdraw your consent at any time.

We may process your data for the following purposes: 

 For example, when you wish to become our customer, we are legally obliged to collect personal data that verifies your identity (such as a copy of your ID card or passport) and to assess whether we can accept you as a customer. We also need to know your postal, e-mail address or phone number to contact you.

We use information about you when you enter into an agreement with us or when we have to contact you. We analyze information about you to assess whether you are eligible for our products and services.

We may ask you for feedback about our products and services, or record your conversations with us online, by telephone or in our office. We may share this with certain members of our staff to improve our offering or to customize products and services for you. If you don’t wish to receive these offers you have the right to object or to withdraw your consent by sending an email or telephoning us (see section “Our Contact Details” below).

We have a duty to protect your personal data and to prevent, detect and contain any breaches of your data. This includes personal data we are obliged to collect about you, for example to verify your identity when you become a customer.

We process your data to comply with a range of legal obligations and statutory requirements.

To provide you with our services, we share certain personal data externally with third parties.

Whenever we share your personal data externally with third parties in countries without a deemed adequate level of protection for personal data, we ensure the necessary safeguards are in place to protect it. We rely hereby upon, amongst others:

• The conclusion or the execution of an agreement in your favor
• Requirements based on applicable local laws and regulations
• When applicable, we use standardized contractual clauses in agreement with service providers to ensure personal data transferred to countries without an adequate level of protection for personal data comply with the DIFC Data Protection Law or GDPR, as applicable
• Your explicit consent
• International treaties that protect personal data transferred to certain service providers abroad.

When we use other service providers or third parties to carry out certain activities in the normal course of business, we may have to share personal data required for a particular task. The service providers include:

• IT service providers who may provide application or infrastructure (such as cloud) services
• Marketing activities or events and managing customer communications
• Preparing reports and statistics, printing materials and designing products
• Placing advertisements on apps, websites and social media
• Legal, auditing or other special services provided by lawyers, notaries, trustees, company auditors or other professional advisors
• Identifying, investigating or preventing fraud or other misconduct by specialized companies.

We respect your individual rights to determine how your personal data is used. These rights include:

You have the right to ask us for an overview of your personal data that we process.

If your personal data is incorrect, you have the right to request us to rectify it. If we shared data about you with a third party and that data is later corrected, we will also notify that party accordingly.

You can object us using your personal data for our own legitimate interests (for example, marketing). We will consider your objection and stop processing your data unless we assess that we have legitimate and imperious reasons that justify processing your data.

You can also object to receiving commercial messages from us (by e-mail, mail and phone) or for statistical purposes. When you become our customer, we may ask you whether you want to receive personalized offers. Should you later change your mind, you can choose to opt out of receiving these messages by sending an email to us (see section “Our contact details” below).

You have the right not to be subject to decisions which may legally or significantly affect you and that were based solely on automated processing using your personal information. In such cases you may ask to have a person to make the decision instead.

Some of our decisions are the result of automated processes for which you gave us explicit consent, or these decisions are necessary to perform or fulfil a contract with you. In both cases, you may ask for human intervention and contest the resulting decision.

Your right to object and to contest may be impeded if automated decisions are made for legal reasons.

You have the right to ask us to restrict using your personal data for the period necessary to us for our verifications if:

• You believe the information is inaccurate
• We are processing your personal data unlawfully
• You have objected to us processing your personal data for our own legitimate interests
• You have the same right if we no longer need your personal data, but you want us to keep it for use in a legal claim.

 You have the right to ask us to transfer some of your personal data directly to you or to another company. This applies to personal data we process by electronic means and with your consent or because of a contract with you. Where technically feasible, we will transfer your personal data.

Unless required by law, you may ask us to erase your personal data if:

• We no longer need it for its original purpose
• You withdraw your consent for processing it
• You object to us processing your data for our own legitimate interests (except for legitimate and compelling interests) or for commercial messages; or
• - We unlawfully process your personal data.

Should you not be satisfied with the way we have responded to your concerns you have the right to submit a complaint to us ([email protected]). 

You can also contact the DIFC Protection Commissioner (DIFC the Gate, Level 14, PO Box 74777, Dubai, T.: +971 4 362 2600) or ADGM Office of Data Protection (ADGM Authorities Building, ADGM Square, Al Maryah Island, Abu Dhabi, T.: 971 2 333 8888, Email: : [email protected], Webform: Submit a complaint to ADGM) 

You can also exercise your rights by contacting us (see section “Our contact details” below).

We aim to respond to your request as quickly as possible. In some instances, this could take up to one month. Should we require more time to complete your request, we will let you know how much longer we need and provide reasons for the delay. In certain legal cases, we may deny your request. If it’s legally permitted, we will let you know in due course why we denied it.

In some cases, we are legally required to collect personal data, or your personal data may be needed before we may perform certain services and provide certain products. We undertake to request only the personal data that is strictly necessary for the relevant purpose. Failure to provide the necessary personal data may cause delays or lead to refusal of certain products and services.

We take appropriate technical and organizational measures (policies, procedures, IT security, etc.) to ensure the confidentiality and integrity of your personal data and the way it’s processed. We apply an internal framework of policies and minimum standards across our business to keep your personal data safe. These policies and standards are periodically updated to keep them up to date with regulations and market developments.

In addition, our employees are subject to confidentiality obligations and may not disclose your personal data unlawfully or unnecessarily. To help us continue to protect your personal data, you should always contact us if you suspect that your personal data may have been compromised.

We will only retain your personal data for as long as we have a lawful reason to do so. In particular, we will in most cases retain your personal data for a period of ten years after the termination of our contractual or other relationship with you in case any claims arise out of the provision of our services to you.

When your personal data is no longer necessary for a process or activity for which it was originally collected, we delete it, or bundle data at a certain abstraction level, render it anonymous and dispose it in accordance with the applicable laws and regulations.

Our website uses cookies and similar technologies to enhance your browsing experience, analyze site usage, and support our marketing efforts. Cookies are small text files that are stored on your device when you visit our website.

We use the following types of cookies:

• Strictly Necessary Cookies: These are essential for the operation of our website and cannot be switched off in our systems.
• Performance and Analytics Cookies: These help us understand how visitors interact with our website by collecting and reporting information anonymously.
• Functionality Cookies: These enable the website to provide enhanced functionality and personalization.
• Targeting/Advertising Cookies: These may be set through our site by our advertising partners to build a profile of your interests and show you relevant adverts on other sites.

You can manage your cookie preferences at any time through our website’s cookie settings. Where required by law, we will obtain your consent before placing non-essential cookies on your device. You may also disable cookies through your browser settings; however, this may affect the functionality of the website.

We may use AI and automated systems to process personal data for purposes such as service delivery, risk management, compliance, and enhancing client experience.

We are committed to ensuring that all use of AI within our operations is subject to robust human oversight. All input provided to, and output generated by, our AI systems is reviewed and validated by authorized personnel. Our AI solutions operate exclusively within our secure internal infrastructure; we do not export your personal data to the public domain or to any external AI platforms. This approach ensures that your personal data remains protected within our organization and is never shared with third-party AI providers or made publicly accessible.

In accordance with DIFC Regulation 10 and ADGM Data Protection Regulations 2021, we ensure that:

• You will be clearly informed when your personal data is processed by AI or automated systems, including the logic involved, the significance, and the potential consequences of such processing.
• Our AI systems are designed and operated in line with principles of fairness, non-discrimination, security, and accountability. We regularly review and audit these systems to ensure compliance.
• AI is only used for human-defined or approved purposes, and not for any incompatible or undisclosed purposes.
• Where AI is used for high-risk processing (such as profiling or automated decision-making that produces legal or similarly significant effects), we conduct Data Protection Impact Assessments (DPIAs) and implement additional safeguards.
• We do not use your personal data to train AI models unless you have been specifically informed and, where required, have provided your explicit consent.
• If AI systems or service providers are located outside the DIFC or ADGM, we ensure that appropriate safeguards are in place for cross-border data transfers.

You have the right to:

• Obtain meaningful information about the use of AI and automated processing.
• Object to or restrict certain types of automated processing, including profiling.
• Request human intervention in decisions made solely by automated means and to contest such decisions.
• Withdraw your consent for AI processing where consent is the legal basis.

We may amend this Privacy Statement to remain compliant with any changes in law or to reflect how our business processes personal data. This version was created and published on 1 January 2026 and entered into force on the same date. The most recent version is available on our website www.primoadvisors.com.

You can address your queries regarding this Privacy Statement to:

Primo Advisors Limited

Central Park Towers, Office Tower, Level 17, Office 17-39

DIFC, Dubai, UAE

[email protected]

Primo Advisors Limited – ADGM Branch

Addax Port Office Tower, Level 38, Office 3801-C2. D005

Al Reem Island, Abu Dhabi, UAE