KYC / AML Policy

Effective Date: 08.04.2025

1. Introduction

GalaxyGrip OÜ (hereinafter, “the Company”), a private limited company registered in Estonia, is committed to full compliance with all applicable Anti-Money Laundering (AML), Know Your Customer (KYC), and Counter-Terrorist Financing (CTF) laws and regulations in the European Union (EU) and the Republic of Estonia, as well as international best practices. This Policy outlines the Company’s procedures to prevent and detect money laundering, terrorist financing, and other illicit activities within its operations.

The Company operates an online platform (https://xgify.com) for the sale of digital gift certificates and mobile account top-up cards, serving both individual and corporate customers. In conducting these activities, the Company acknowledges its legal obligations and ethical responsibility to implement robust measures against money laundering and terrorist financing.

This AML/KYC Policy forms a core component of the Company’s overall compliance framework. It establishes a systematic approach to customer due diligence, transaction monitoring, and record-keeping designed to identify and mitigate risks. Through this Policy, the Company aims to protect its business and stakeholders from being misused for financial crime and to comply with all relevant AML/CTF requirements.

While the Company’s platform allows customers to make purchases without registering an account or providing personal information in low-risk scenarios, this Policy ensures that appropriate due diligence is conducted whenever higher-risk factors are present. The Company employs a risk-based approach whereby verification measures are scaled according to the level of risk: most small, routine transactions can be completed with minimal friction, whereas any transaction that triggers suspicion or legal thresholds will prompt immediate customer due diligence and reporting as necessary.

2. Definitions

• Money Laundering: Any act or attempted act to conceal or disguise the identity of illegally obtained proceeds so that they appear to have originated from legitimate sources. (Defined in Directive (EU) 2015/849, Art. 3)
• Terrorist Financing: The act of providing, collecting, or using funds or assets, whether from legal or illegal sources, with the intent or knowledge that they will be used to support terrorist acts or organizations.
• AML (Anti-Money Laundering): Measures, policies, and procedures designed to detect, deter, and prevent money laundering and terrorist financing, in compliance with applicable laws and regulations.
• KYC (Know Your Customer): The process of verifying the identity of customers and assessing their suitability and risk profiles to ensure compliance with AML/CTF requirements. It includes customer identification, due diligence, and ongoing monitoring.
• CTF (Counter-Terrorist Financing): Measures aimed at preventing the financing of terrorism, often implemented in conjunction with AML controls.
• Customer Due Diligence (CDD): The mandatory process of identifying and verifying a customer’s identity, understanding the nature of the customer’s activities, and assessing the risk they may pose. CDD can be performed at different levels (simplified, standard, or enhanced) depending on the risk level.
• Enhanced Due Diligence (EDD): Additional and more thorough measures of verification and investigation applied to high-risk customers or transactions, such as obtaining more information about the source of funds or requiring senior management approval for the business relationship.
• Simplified Due Diligence (SDD): Reduced verification measures applicable to low-risk scenarios as permitted by law, where the risk of money laundering is deemed minimal.
• Politically Exposed Person (PEP): An individual who is or has been entrusted with prominent public functions (e.g., heads of state, senior government, judicial, or military officials), including their immediate family members or close associates. PEPs are subject to enhanced due diligence due to the higher risk of involvement in corruption or bribery.
• Beneficial Owner: The natural person(s) who ultimately owns or controls a customer (for example, owning 25% or more of a company’s shares or voting rights), or the person on whose behalf a transaction is conducted. Identifying beneficial owners is required to prevent hiding illicit assets behind legal entities.
• Sanctions List: A list of individuals, entities, or countries subject to restrictive measures (such as asset freezes or travel bans) under international, EU, or national sanctions regimes. Examples include lists maintained by the United Nations, European Union, and the U.S. Office of Foreign Assets Control (OFAC).
• High-Risk Jurisdiction: A country or region identified as having strategic deficiencies in its AML/CTF regime or subject to international sanctions/embargoes, thus posing a higher risk of money laundering or terrorist financing. This includes jurisdictions highlighted by the FATF as high-risk or under increased monitoring.

3. Scope

This Policy applies to all aspects of the Company’s operations and to all individuals and entities involved. It covers every customer (individual or legal entity) who uses the Company’s platform or services, whether or not they have registered a user account, and all Company personnel, including employees, officers, contractors, and any third parties acting on behalf of the Company in relation to its services.

The Policy governs all products and services offered by the Company via its platform (including digital gift certificates, mobile account top-up cards, and similar prepaid products) regardless of geographic location. All departments and employees of the Company must adhere to the procedures and controls set forth in this Policy in their day-to-day activities.

Compliance with this Policy is mandatory. Failure to comply may result in internal disciplinary action and could expose the Company and responsible individuals to legal and regulatory sanctions. In cases where applicable laws or regulations impose stricter requirements than those set out in this Policy, the stricter requirements shall prevail. Conversely, if any provision of this Policy conflicts with applicable law, the requirements of the law take precedence, and this Policy will be updated accordingly to maintain compliance.

4. Regulatory Framework

The Company’s AML and CTF measures are designed to meet the requirements of all applicable laws, regulations, and guidance in the jurisdictions where it operates. Key legal and regulatory provisions considered in the development of this Policy include:

4.1. EU Directives and Regulations:

• Directive (EU) 2015/849 (Fourth AML Directive): On the prevention of the use of the financial system for the purposes of money laundering or terrorist financing. This directive established a risk-based approach to AML and laid out customer due diligence requirements.
• Directive (EU) 2018/843 (Fifth AML Directive): Amending the Fourth AML Directive, including provisions to address emerging risks (such as virtual currencies and prepaid cards) and enhance transparency of financial transactions and corporate ownership.
• Directive (EU) 2018/1673 (Sixth AML Directive): On combating money laundering by criminal law, harmonizing the definition of money laundering offenses and related penalties across EU member states.
• Regulation (EU) 2015/847: On information accompanying transfers of funds (the “Funds Transfer Regulation”), requiring accurate payer and payee information to accompany electronic transfers in order to enhance traceability of funds.
• Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR): Governing the protection of personal data, which impacts how customer personal data collected for AML/KYC purposes is handled, stored, and protected.

4.2. Estonian Legislation and Guidance:

• Money Laundering and Terrorist Financing Prevention Act (Estonia): The primary Estonian legislation implementing EU AML/CTF directives. This law defines the obligations of “obligated entities” (such as the Company) regarding customer identification and verification, risk assessment, record-keeping, the reporting of suspicious transactions, and establishment of internal controls to prevent money laundering and terrorist financing.
• Guidelines from Estonian Authorities: Guidance and rules issued by Estonian regulatory and law enforcement bodies – including the Estonian Financial Intelligence Unit (FIU) and the Estonian Financial Supervision Authority (Finantsinspektsioon) – which provide interpretation of AML/CTF obligations and best practices. The Company takes into account any such official guidance to ensure its compliance program meets national expectations and industry standards.

4.3. International Standards and Guidance:

• Financial Action Task Force (FATF) Recommendations: Internationally endorsed AML/CTF standards which influence EU and Estonian regulations. The Company takes into account FATF’s risk-based approach guidance and its list of high-risk jurisdictions when assessing and managing risk.
• Industry Best Practices: Guidelines from international standard-setting bodies and industry groups (e.g., the Basel Committee on Banking Supervision, the Wolfsberg Group) to ensure the Company’s AML controls meet globally recognized benchmarks and adapt to evolving methods of financial crime.

5. Compliance Program

The Company has implemented a comprehensive AML/CTF compliance program proportionate to the nature and size of its business. This program is designed to prevent illicit activities and ensure full compliance with the above regulatory framework. Key elements of the Company’s Compliance Program include:

• Written Policies and Procedures: Maintenance of up-to-date internal policies (such as this AML/KYC Policy) and detailed operational procedures that clearly outline the controls in place and the responsibilities of staff to mitigate money laundering and terrorist financing risks.
• Risk Assessment: A documented risk assessment process that identifies and evaluates potential money laundering and terrorist financing risks the Company may face. This includes methodologies for risk scoring (e.g., customer risk-rating matrices, product/service risk factors, and transaction patterns) and is regularly updated to reflect changes in risk profiles or regulatory expectations.
• Employee Training and Awareness: Ongoing training programs for all relevant employees to ensure they understand current AML/CTF laws, the Company’s internal procedures, how to recognize indicators of suspicious activity, and their individual obligations under this Policy.
• Independent Audit and Review: Periodic independent reviews or audits of the AML/CTF compliance program (at least annually, or more frequently if required by law or risk) to test the effectiveness of internal controls and adherence to this Policy. Findings of such reviews are reported to senior management. Any identified deficiencies or areas for improvement are addressed promptly to enhance the program.
• Transaction Monitoring and Reporting Mechanisms: Implementation of systems and controls (including automated monitoring tools where appropriate) to detect unusual or high-risk transactions. This is coupled with clear procedures for the timely internal escalation of suspicious activities. Confirmed suspicious transactions or activities are reported to the relevant FIU in compliance with legal requirements.

6. Operational Compliance

The Company applies a risk-based approach in its day-to-day operations to ensure effective compliance with AML/KYC requirements. The practical implementation of the compliance program involves detailed procedures for customer due diligence, ongoing monitoring, and record-keeping, as outlined below.

6.1. Customer Identification and Verification (Know Your Customer)

Prior to establishing a business relationship or processing a transaction that requires customer identification under this Policy or applicable law, the Company conducts a Customer Identification Program (CIP) to verify the identity of the customer (whether an individual or a legal entity). The extent of information collected and verified will depend on the nature of the customer and the level of due diligence required.

• Individuals: When customer due diligence is required for an individual customer, the Company collects at least the following information: full name, date of birth, place of birth, nationality, residential address, and contact details (e.g., phone number, email). The customer is required to provide a valid government-issued photo identification document (such as a passport, national ID card, or driver’s license) and, if needed, additional proof of address (such as a utility bill or bank statement).
• Legal Entities: For corporate or other legal entity customers (e.g., a business purchasing gift cards in bulk), the Company collects at minimum: the entity’s full legal name, registration number, registered office address, and country of incorporation. The Company will obtain documents evidencing the legal existence and structure of the entity (e.g., certificate of incorporation, articles of association) and information on the entity’s directors and ultimate beneficial owners (generally persons owning 25% or more of the entity’s shares or voting rights). Official registry extracts or certificates (such as an extract from the Estonian Commercial Register, or the relevant national business registry in the entity’s jurisdiction) may be required to verify these details.

All information and documents gathered under the CIP are verified for authenticity and accuracy. Verification may include cross-checking information against independent data sources and databases, using electronic identity verification services, and/or requesting notarized or certified copies of documents in cases where online verification is not sufficient. The Company will only accept identification documents that are valid (unexpired and legitimately issued) and will reject any documents that appear to be forged or altered.

If the identity of a customer cannot be satisfactorily verified, the Company will not establish the business relationship or carry out the transaction for that customer. In such cases, the Company will consider whether to file a suspicious activity report and will refrain from transacting with the customer until compliance concerns are resolved.

6.2. Customer Risk Assessment and Due Diligence Measures

The Company assesses the money laundering and terrorist financing risk associated with each customer at onboarding (when a business relationship is established or an initial qualifying transaction is made) and periodically thereafter. Based on factors such as the customer’s profile, geographic location, type of products or services used, transaction patterns, and any links to high-risk categories, the Company classifies customers into risk categories (for example, Low, Medium, or High risk). The level of due diligence and ongoing monitoring applied is commensurate with the assigned risk level.

• Low-Risk Customers: Customers whose characteristics, activities, and source of funds present minimal risk. Typically, these might be customers who are long-term residents of EU/EEA countries, transacting in small, routine amounts through regulated financial channels, with transparent and legal sources of funds. For such customers, the Company may apply Simplified Due Diligence (SDD) measures as permitted by law.
• Medium-Risk Customers: Customers that do not clearly fall into low or high risk categories. This group might include individuals with less transparent profiles or those conducting larger transactions on an occasional basis. The Company applies standard due diligence measures for these customers and keeps their activities under regular review for any changes that might elevate their risk profile.
• High-Risk Customers: Customers with elevated risk factors, such as Politically Exposed Persons (PEPs); customers from or located in high-risk jurisdictions (with weak AML/CTF controls or subject to sanctions); customers involved in industries or activities known to be susceptible to higher corruption, fraud, or crime risk; or those exhibiting unusual or complex transaction patterns. These customers are subject to Enhanced Due Diligence (EDD) measures (see Section 6.4).

Risk categorization is not static. The Company performs ongoing due diligence and will adjust a customer’s risk rating if new information emerges or if the customer’s behavior changes in a way that affects risk. For example, if a previously medium-risk customer begins conducting significantly larger or atypical transactions, or if a customer’s country of residence is added to a sanctions or high-risk list, the risk rating will be escalated accordingly. All risk assessments are documented and form the basis for determining the level of scrutiny and control measures applied to the customer.

6.3. Simplified Due Diligence (SDD)

In cases where a customer or transaction is considered low-risk and qualifies for exemptions under applicable AML laws, the Company may perform Simplified Due Diligence. SDD means that the intensity of customer verification and transaction monitoring may be reduced, although not eliminated. Examples of situations that might justify SDD include:

• The customer is itself a regulated financial institution or another business subject to equivalent AML/CTF regulations (e.g., an EU-regulated bank or licensed payment institution) and is obliged to conduct its own AML checks.
• The products or services involved have limited utility for money laundering – for example, low-value transactions below defined thresholds, or gift certificate or mobile top-up purchases under a small amount – and are not complex or high-value instruments.
• The customer is from a country or jurisdiction with proven low levels of corruption and strong AML regulations (such as an EU Member State), and the transaction amounts are below applicable risk thresholds.

When applying SDD, the Company still gathers basic identifying information (such as a name and contact method) but may not require extensive verification documents from the customer. Before deciding to apply SDD, the Company ensures that the situation indeed presents a lower risk and that no high-risk factors (such as suspicious indicators or sanctions hits) are present. If any doubt arises about the customer or the transaction, the Company will forego SDD and perform full standard CDD instead.

6.4. Enhanced Due Diligence (EDD)

For any customer classified as high-risk, or any situation that by its nature presents a higher risk of money laundering or terrorist financing, the Company applies Enhanced Due Diligence. EDD involves a greater level of scrutiny and the application of additional measures to thoroughly understand and mitigate the risks. EDD is mandatory in certain cases (such as when dealing with PEPs or customers from high-risk countries) and is also applied whenever other risk factors elevate a customer or transaction to high risk. Situations requiring EDD include, for example:

• The customer or related parties are identified as being on a sanctions list, or the customer is from a country subject to international sanctions or identified by the FATF as high-risk.
• The customer’s transactions or requested services are unusually large in value, lack an apparent economic or lawful purpose, or are inconsistent with the customer’s known profile or stated business purpose.
• Negative information or adverse media has surfaced about the customer, or the customer has prior convictions or a known history involving financial crimes, fraud, or other illicit activities.

When conducting Enhanced Due Diligence, the Company may undertake measures including, but not limited to:

• Obtaining additional identification documents or information to further verify the customer’s identity and to understand the customer’s source of wealth and source of funds (for example, asking for bank statements, income proof, or documentation showing how the customer acquired the funds used in the transaction).
• Requiring the customer to provide a detailed explanation of the intended purpose and nature of the business relationship or transaction. (For example, if a customer wishes to make a large purchase of gift cards, the Company might ask for the reason and intended use.)
• Conducting independent background checks on the customer, such as screening the customer’s name (and the names of any beneficial owners, in the case of a legal entity) against databases for PEP status, international sanctions, or adverse media. The Company may also require senior management approval before onboarding a high-risk customer or allowing a high-risk transaction to proceed.
• Increasing the frequency and depth of ongoing monitoring of the customer’s transactions and activities.

Note: The Company may utilize reputable third-party services or specialized software tools to facilitate customer verification and screening (e.g., identity document authentication services, sanctions/PEP screening databases). Any third-party service provider engaged for KYC/AML purposes is subject to due diligence by the Company to ensure they meet required standards and comply with data protection laws and the Company’s Privacy Policy.

6.5. Record-Keeping and Retention

Proper record-keeping is a fundamental part of the Company’s AML compliance efforts. The Company maintains complete and organized records of all customer due diligence information and transaction data, in accordance with legal requirements and internal policies. This includes retaining copies of identification documents obtained, records of customer profiles and risk assessments, transaction histories, and reports of any suspicious activities identified and reported. All records are maintained in a secure manner (either electronically in protected databases or in physical form in locked storage) with access restricted to authorized personnel only.

Even in situations where full customer identity information is not collected (for example, low-value one-off purchases under the SDD approach), the Company still retains relevant transactional information – such as purchase details, payment method information, email or contact data provided for the transaction, timestamps, and amounts – to ensure there is an audit trail for every transaction. In this way, even “anonymous” or non-registered customer transactions can be reviewed in aggregate, and suspicious patterns can be detected and investigated using available data.

All records related to AML/KYC compliance are kept for a minimum of five (5) years after the end of the business relationship with the customer or, in the case of an occasional (one-off) transaction with no ongoing relationship, five years after the date of that transaction. This retention period is in accordance with applicable AML laws and regulations. If required by law or upon official request by competent authorities, the retention period may be extended. After the expiration of the required retention period (and provided no legal hold or ongoing investigation requires further retention), the Company will securely dispose of or anonymize the data to protect customer privacy.

Records maintained by the Company include documentation of any internal analyses performed (for instance, notes on why a particular customer was classified as high risk, or why a transaction was considered suspicious or not suspicious), as well as records of all Suspicious Transaction Reports (STRs) or Suspicious Activity Reports (SARs) submitted to the authorities. These records will be readily available for review by auditors or regulators to demonstrate the Company’s compliance with its record-keeping and reporting obligations.

7. Sanctions Compliance and PEP Screening

The Company fully complies with all applicable international and national sanctions regimes and has measures in place to ensure that it does not facilitate transactions with sanctioned individuals, entities, or countries. This commitment includes:

• Sanctions Screening: Screening all new and existing customers against relevant sanctions lists, including but not limited to the consolidated sanctions lists of the European Union, United Nations Security Council, and other global sanctions lists (such as those maintained by the U.S. OFAC). Screening is also applied to transaction counterparties or beneficiaries when relevant. This screening is conducted at onboarding and periodically (and in real-time for transactions where feasible) to capture any updates.
• Preventative Controls: Implementing controls to detect and prevent dealings with countries, regions, or persons that are under embargo or subject to significant trade restrictions.

In addition to sanctions, the Company recognizes that Politically Exposed Persons (PEPs) require special attention. Although PEPs are not by default forbidden from using the Company’s services, they are considered higher-risk customers under AML laws due to the possibility of their exposure to corruption or bribery. The Company therefore takes the following measures regarding PEPs:

• PEP Identification: During customer onboarding and at periodic intervals, the Company checks whether a customer (or the customer’s beneficial owner, in the case of a legal entity) is a PEP. This is done by asking customers for relevant information in the signup or transaction process and by screening customer names against known PEP databases or lists.
• Enhanced Due Diligence for PEPs: If a customer or beneficial owner is identified as a PEP, the Company applies Enhanced Due Diligence. This includes obtaining senior management approval before establishing or continuing a business relationship with the PEP, taking reasonable measures to establish the source of wealth and source of funds that the PEP will be using in relation to the Company’s services, and conducting enhanced ongoing monitoring of that relationship (with more frequent reviews of transaction activity).

8. Training and Awareness

The Company maintains a robust AML/CTF training program to ensure that all relevant employees are aware of their obligations and are equipped to implement this Policy effectively. Training and awareness initiatives include:

Through ongoing education and a culture of compliance, the Company ensures that its employees remain vigilant and capable of applying AML/KYC measures appropriately.

9. Data Protection and Privacy

Handling of personal data for AML/KYC purposes is carried out in compliance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and relevant national data privacy laws. The Company also adheres to its internal Privacy Policy and Cookie Policy when collecting and processing customer information under this AML/KYC Policy.

• Data Minimization and Purpose Limitation: The Company collects only the personal data that is necessary to meet its AML/KYC obligations (e.g. identification details, verification documents, and transaction information). Such data is used solely for purposes of preventing money laundering/terrorist financing, fulfilling legal compliance requirements, and other related purposes described in the Privacy Policy (such as fraud prevention). Personal data collected for AML/KYC will not be used for unrelated purposes (such as marketing) without the customer’s consent.
• Security and Confidentiality: All customer data collected pursuant to this Policy is treated as confidential and is subject to strict security controls. The Company implements appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, or destruction. These measures include encryption, access controls that limit data access to authorized personnel on a need-to-know basis, and network security protocols. Employees are expressly forbidden to misuse or share customer personal data outside the scope of their job duties. Any employee found to have breached data confidentiality or security policies may face disciplinary action, up to and including termination.
• Retention Period: In accordance with AML laws and Article 40 of Directive (EU) 2015/849, the Company retains records of customer identification and transactions for a minimum of five (5) years after the end of the business relationship with the customer, or from the date of an occasional transaction (if the customer does not establish an ongoing relationship). This retention period may be extended if required by local law or upon official request from competent authorities (for example, in the event of an ongoing investigation). After the retention period expires, the Company will securely destroy or anonymize personal data, unless a legal exception applies that permits further retention. (As noted in Section 6.5, basic transaction records may be kept without personal identifiers in an anonymized form for business analysis, but not in a way that violates privacy laws.)
• Customer Rights: The Company’s customers have certain rights over their personal data as described in the Privacy Policy, including the rights to access and correct their personal information. However, some rights (such as the right to deletion or objection) may be restricted with respect to data kept for AML compliance purposes. For instance, the Company cannot delete a customer’s identification records if it is legally required to retain them for the 5-year period. The Company provides customers with information about how their data is used for KYC/AML in the Privacy Policy and will respond to privacy-related requests or inquiries in line with GDPR and applicable laws, taking into account the AML obligations.

The Company’s data processing activities for AML/KYC compliance are subject to regular oversight to ensure they remain in line with privacy requirements. Any third-party service providers that handle customer data on behalf of the Company for AML/KYC purposes (for example, an identity verification service or a sanctions screening tool provider) are required to have strong data protection measures in place. These providers are bound by data processing agreements that oblige them to use the data only for the intended compliance purposes and to safeguard it according to GDPR standards. All handling of personal information under this Policy is in line with the Company’s Cookie Policy (for any web-based data collection or tracking related to analytics or session management) and the Company’s Privacy Policy. Those documents should be read in conjunction with this Policy for a full understanding of how the Company manages customer data.

10. Customer Communication and Outreach

The Company believes in transparency and maintaining open communication with its customers regarding compliance requirements. Key practices in customer communication include:

• Disclosure of Requirements: The Company clearly informs customers about the need for identity verification and the reasons why such information is required. These disclosures are provided in the Terms & Conditions of service and at relevant points during the purchase process (for example, during checkout or account registration workflows). Customers are made aware that any request by the Company for personal documentation or information is driven by legal compliance obligations and the Company’s commitment to security.
• Obtaining Consent: Where required (for instance, under data protection laws), the Company obtains the customer’s consent to process their personal data for KYC/AML purposes. During the information collection process, customers are usually asked to acknowledge the Privacy Policy, which details how their data will be used and protected. The Company ensures customers understand that by proceeding with certain transactions (especially those that require identity verification), they are consenting to the processing of their data for compliance checks.
• Ongoing Communication: If additional information, clarification, or documentation is needed from a customer as part of due diligence (for example, an explanation of an unusual transaction, or an updated identity document when a previous one expires), the Company will reach out promptly using the customer’s provided contact information (such as email or phone). Communications to customers will clearly state what information is required and why, as well as a reasonable deadline for the customer’s response. The consequences of failing to provide the requested information in a timely manner will also be explained (e.g., temporary suspension of service or a delay/cancellation in completing the transaction).
• Customer Support: The Company maintains customer support channels to address questions or concerns related to account verification or compliance procedures. The support team is trained to handle basic inquiries – such as why certain documents are needed, how to upload verification information, or why an account may be temporarily restricted pending KYC completion.
• Notification of Policy Updates: Material changes to this AML/KYC Policy or related procedures that affect how customers are onboarded or monitored will be communicated to customers through appropriate channels (for instance, an email notification to users or an announcement on the Company’s website). Customers will be directed to review the updated Policy online. Continued use of the Company’s services after such notification constitutes acknowledgement and acceptance of the updated compliance requirements.

By proactively communicating with customers, the Company aims to make the compliance process as clear and cooperative as possible. This approach helps encourage customers to comply with KYC requests in a timely manner and maintains trust in the Company’s platform. Ultimately, transparency in why and how the Company conducts AML/KYC procedures fosters a safer environment for all users.

11. Policy Review and Updates

This AML/KYC Policy is approved by the Company’s senior management and is effective as of 08.04.2025. It remains in effect until it is superseded by a revised version. The Policy will be reviewed at least annually, and additionally whenever there are significant changes in applicable laws or regulations, or changes in the nature of the Company’s business that might impact its AML/CTF risk exposure or obligations.

All Company personnel are required to familiarize themselves with the current version of this Policy and to acknowledge their understanding (either in writing or electronically, as mandated by internal procedures). If any updates or changes are made to the Policy, employees will receive training or briefings as necessary to ensure continued effective implementation in their daily work.

If any part of this Policy is found to be in conflict with applicable laws or regulations, the requirements of the law will prevail and the conflicting part of the Policy will be amended accordingly as soon as possible. The Company will maintain records of each version of this Policy, including the dates of approval and a summary of changes, for audit and regulatory review purposes.