DATA PROTECTION POLICY

This Policy governs the collection and use of personal data, outlines the rights of data subjects, and describes the administrative, technical, and organizational measures established to safeguard all personal information processed by Exoben.

The objective is to ensure that data is handled lawfully, fairly, transparently, securely, and only for legitimate business purposes.

This Policy covers:

• data collected online and offline
• investor and shareholder-related data
• employee and contractor information
• customer and user data
• data processed through third parties or integrated systems
• cross-border data transfers

Exoben requires all employees, contractors, service providers, and partners to comply with this Policy at all times.

Exoben processes personal data only where at least one lawful basis exists:

Consent:

The data subject has clearly agreed to the use of their information for one or more specific purposes.

Contractual Necessity:

Processing is required to fulfill an agreement, including investor onboarding, account creation, employment arrangements, or service delivery.

Legal Obligation:

Processing is necessary for compliance with statutory, regulatory, or reporting requirements.

Legitimate Interests:

Processing is required for business activities such as operational efficiency, fraud prevention, platform security, internal analytics, or customer support, provided such interests do not override the rights of the data subject.

Public Interest or Regulatory Requirements:

Processing is required to comply with international investment regulations, KYC/AML procedures, or other legal frameworks where Exoben operates.

Exoben may collect and process the following categories of personal information, depending on the nature of engagement:

• Identity Information: full name, date of birth, nationality, identification documents, and verification data.
• Contact Information: email address, phone number, physical address, country of residence.
• Financial and Investment Information: investment amounts, payment confirmations, bank or wallet data (processed through secure third parties), accredited investor documentation, transaction history, and shareholder records.
• Usage and Technical Data: IP addresses, device identifiers, login logs, browser details, cookies, and interaction metrics.
• Communication Records: emails, support messages, call logs, and documentation shared for customer or investor inquiries.
• Employment and HR Data: professional background, CVs, references, performance information, payroll details, and compliance-related records.
• Preference Data: marketing preferences, product interests, and communication preferences.

Personal data is collected through online forms, our website, investor portals, communication channels, contractual documentation, and third-party verification services.

Exoben uses personal data solely for legitimate, lawful business purposes, including but not limited to:

• creating and managing investor, customer, or user accounts
• verifying eligibility for investments under Regulation D or Regulation S
• fulfilling contractual and operational obligations
• providing technical support and customer assistance
• managing shareholder communications and reporting
• processing payments through secure, compliant channels
• improving platform functionality, security, and user experience
• complying with AML/KYC, regulatory, and corporate requirements
• conducting audits, risk assessments, and fraud prevention
• delivering marketing communications where permitted by law and consented to by the user

We do not sell, rent, or commercially trade personal data.

Exoben uses industry-grade administrative, physical, and technical safeguards to ensure full protection of all personal information.

Personal data is stored only for as long as necessary to fulfill the purposes described in this Policy, meet legal obligations, resolve disputes, enforce agreements, and maintain long-term shareholder and investment records. Retention periods vary depending on regulatory, financial, and operational requirements.

To protect all personal information, Exoben employs a comprehensive, multilayered security framework.

This includes encrypted storage and encrypted transmission of sensitive data; secure firewalls and real-time intrusion monitoring; controlled access based on job roles and responsibilities; enforced authentication protocols; and internal confidentiality obligations binding all employees and contractors.

Security systems undergo periodic audits, updates, and vulnerability assessments to maintain strict compliance with international data protection standards.

Any third-party vendor processing data on our behalf must follow equal or stronger security and privacy standards, enforced through contract.

Exoben may share personal data only when necessary and only with:

• authorized employees or departments
• professional advisors such as auditors, legal counsel, and compliance partners
• third-party service providers such as payment processors, cloud hosting providers, CRM systems, and identity verification platforms
• regulatory authorities when legally required
• affiliates or subsidiaries strictly for operational or compliance functions
• potential acquirers or partners during a corporate transaction, subject to strict confidentiality measures

All such data sharing is governed by enforceable legal agreements requiring confidentiality, limited use, and full compliance with applicable laws.

Exoben does not share personal data for unrelated commercial benefit and does not engage in the sale of personal information.

Personal data may be transferred to countries where Exoben operates or where third-party service providers are based. All international transfers follow strict legal safeguards, including:

• contractual clauses ensuring adequate protection
• compliance with global privacy standards
• secure and encrypted transmission
• strict oversight and continuous monitoring

Data subjects will be informed when required by law.

Depending on applicable laws, individuals may have the right to:

• request access to their personal data
• request correction or updates
• request deletion (where legally permissible)
• restrict or object to certain processing activities
• withdraw consent at any time
• request data portability
• lodge complaints with relevant regulatory authorities

Exoben handles all rights-based requests with transparency and within legal deadlines.

Exoben maintains internal incident-response protocols to detect, investigate, and mitigate data breaches.

If a breach occurs, Exoben will:

• secure affected systems
• evaluate the scope and impact
• notify affected individuals and regulators where required
• implement corrective measures
• maintain full documentation of the incident

We take data protection seriously and act with urgency and transparency in all breach events.

Exoben may update this Policy from time to time to reflect legal requirements, organizational changes, technological developments, or improvements in our security practices.

Any changes will be published on our website with an updated revision date.

Individuals may contact Exoben regarding this Policy or any data protection concerns at:

Email: privacy@exoben.com
Phone: +1 302-401-1490

Address:
Exoben Inc.
800 N King Street, Suite 304
Wilmington, DE 19801
United States