Modular Finance is committed to protecting your personal data. This Privacy Policy contains information on what personal data we process, how and why we process it and what your rights are as a data subject.

PRIVACY POLICY

Version 2.0. Last updated on 9 October 2025

1. GENERAL

1.1 Modular Finance AB (“Modular Finance”, “we”, “us”, “our”) is fully committed to protecting your personal integrity and take measures to ensure that your personal data is safe when processed by us. This policy (the “Privacy Policy”) contains information on what personal data we collect, how we process it and the purposes of our processing. It also describes your rights as a data subject in respect of the personal data we process about you.

1.2 Our processing of personal data is subject to the General Data Protection Regulation (Regulation (EU) ²⁰¹⁶⁄₆₇₉, “GDPR”) and other applicable laws and regulations on data protection and privacy. The terms “personal data”, “processing”, “data subject” and “controller” used herein shall have the meanings ascribed to them in the GDPR.

1.3 Modular Finance holds a publishing certificate for Holdings (Sw. utgivningsbevis), granted under the Swedish Fundamental Law on Freedom of Expression (Sw. Yttrandefrihetsgrundlagen (1991:1469))(“YGL”). This publishing certificate exempts certain data processing activities related to the Holdings database from the GDPR, to the extent that the application of the GDPR would conflict with YGL.

2. PERSONAL DATA CONTROLLER

Modular Finance AB, reg. no. 556920-1998, with its registered address at Döbelnsgatan 24, 113 52, Stockholm, Sweden, is the personal data controller for the personal data processing covered by this Privacy Policy.

3. SOURCES FROM WHICH WE GATHER PERSONAL DATA

3.1 We process personal data provided directly to us by you, including through our website, during meetings or through mail exchange, telephone calls, e-mail and other forms of communication with you. Such personal data may include your name, national identity number, e-mail, phone number, IP-address, job title and workplace.

3.2 To offer, provide and develop our services, and to ensure we maintain correct and up to date information of you, we may also gather personal data from third parties, including publicly available sources and other external sources. These may include, for example, our data providers and intermediaries, public share registers and public records of supervisory authorities. We may also receive information about you from customers and users of our services. Personal data gathered from third parties may include your name, address, contact information, job title, workplace and information on shareholdings.

4.1 When we process personal data for any of the purposes described in Section 5 (How your personal data is used) below, some of your personal data may be shared with others. Personal data may be shared with:

Our customers, their authorised personnel and other users of our services, in order to perform our services. Our customers primarily include listed companies, banks and legal and financial advisors.
Our partners and suppliers (including sub-processors), in order to perform services and fulfil agreements we have with them or with you. Our partners and suppliers may include, for example, companies offering IT-solutions such as electronic platforms and business systems, or our bank when processing payments of financial compensation.
Public authorities, to the extent we are under statutory obligations to do so.

4.2 We enter into data processing agreements where relevant, regulating what and how personal data shall be processed, and to ensure that such processing complies with the GDPR.

4.3 Our processing of personal data is carried out within the EU/EEA. Any transfers of personal data outside the EU/EEA will be subject to the requirements under the GDPR and will be limited to transfers where:

the European Commission has determined that the country in question has an adequate level of data protection; or
other appropriate safeguards are in place, such as the use of standard contractual clauses as approved by the European Commission; or
there is an exception in a specific situation, for example to perform a contract with you or if you have given your consent to the specific transfer.

5. HOW YOUR PERSONAL DATA IS USED

Purpose	Processing	Categories of personal data	Legal basis	Storage time
To deliver, evaluate, develop, and improve our services and systems for our customers	Collection of contact information, ownership data, insider ownership- and transactions, financial information etc. Publication in Modular Finance’s services. Analysis and evaluation of Modular Finance’s services. Adaptation of services to improve the customer experience.	- Name. - Contact information. - Corporate governance data. - Ownership data. - Insider data. - Other financial data. - Personal identity numbers. - Technical data.	Legitimate interest. The processing of personal data is required for accommodating our legitimate interest of delivering, developing, and improving our services, products and systems for our customers.	Throughout the delivery of our service toward our customers, personal data will be processed for the duration of our customer contract and as long as the data is required for the delivery of our services. Thereafter, personal data will be stored for a period of 12 months.
To manage orders and purchases of our services, ongoing customer correspondence, customer support issues	Collecting contact information. Processing of payments. Sending confirmations. Email contact.	- Name. - Personal identity number. - Contact information (address, e-mail address and telephone number).	Legitimate interest. The processing is needed to accommodate our legitimate interest of communicating with our customers.	Throughout the delivery of our service toward our customers, personal data will be processed for the duration of our customer contract and as long as the data is required for the delivery of our services. Thereafter, personal data will be stored for a period of 12 months.
Quality assurance and internal training	Audio or video recording of digital meetings with existing and potential customers. Storage and internal review.	- Name. - Contact information. - Voice and image (in case of video). - Information provided voluntarily during the meeting.	Legitimate interest. We have assessed that the processing is necessary for the listed purposes, and that our legitimate interests are not overridden by the customer’s interests or fundamental rights.	Recordings are stored for the duration of our customer contract and as long as the data is required for the delivery of our services. Thereafter, personal data will be stored for a period of 12 months. Recordings of meetings with potential customers are stored for a period of 12 months.
To fulfil our legal obligations	Managing legal obligations according to applicable laws and decisions from government authorities.	- Name. - Personal identity number. - Contact information (address, email address, telephone number).	Legal obligation. The collection and processing of personal data is demanded by law.	36 months.
To manage job applications when recruiting new staff	Collection of CV, personal letter, and other documentation regarding the recruitment process. The documentation is sent to us by the candidates. Communication throughout the process.	- Name. - Contact information (address, e-mail address and telephone number). - Other personal data that may be included in CV and personal letter.	Consent, legitimate interest.	24 months after consent has been given. Some personal data may be stored for longer.
To ensure a structured, fair and consistent recruitment process, and to enable review by the recruitment team	Audio or video recording of digital meetings. Storage and internal review.	- Name. - Contact information. - Voice and image (in case of video). - Answers, statements and other information provided voluntarily during the interview.	Legitimate interest. We have assessed that the processing is necessary for the listed purposes, and that our legitimate interests are not overridden by the candidate’s interests or fundamental rights.	Recordings are stored for a maximum of 3 months after the recruitment process is completed, after which they are permanently deleted.

6. COOKIES

6.1 Cookies are small text files sent from our web server and which are stored in your web browser or unit. Cookies contain information on your visit and use of our websites and can be used to track which pages you visit, save input information or remember your preferences or settings.

6.2 We use cookies and other similar technology on our websites and in our apps to give you the best possible customer experience, to better understand the functions of our websites and to improve our services. We do not collect cookies for individually customised marketing.

6.3 We use different types of cookies on each service-specific website and app. Read more about the type of cookies in the Cookie Panel for the relevant website/app. The categories of cookies used are described below.

6.4 Necessary cookies: These cookies are necessary in order for our websites and apps to function properly. These cookies handle features such as login flows, security and saving your preferences such as language settings. These cookies do not save any personal data. Necessary cookies cannot be turned off.

6.5 Cookies for analytics and improvements: These cookies allow us to analyse how you use our websites and/or apps so that we can improve your user experience and to better understand how users experience and use them. We use the service Posthog to track user behaviour in our Monitor app, and the service Google Analytics on our websites www.modularfinance.com and www.mfn.se and in our service Holdings and Monitor to collect information on how you use them. The use of cookies which are not necessary for our websites or apps to function properly require your consent, which you can provide when you first use our websites or apps or by later changing your cookie settings. You may withdraw your consent at any time by changing your cookie settings.

6.6 Our use of cookies may sometimes mean that we process your personal data, as set forth in this Privacy Policy.

6.7 You can choose to completely remove the ability for cookies to be stored in your browser by changing your browser’s cookie settings. If you have opted out of cookies being stored in your browser, cookies from us and other websites will no longer be stored. Since some cookies are necessary for the functioning of the website, you may notice that some features of our and other websites do not work properly.

7. PROTECTING YOUR PERSONAL DATA

In order to protect your personal data and maintain effective protection, we have implemented a number of measures including:

Technical security measures, including passwords, firewalls, encryption, and antivirus software.
Administrative and technical control functions to limit the access to personal data.
Physical security measures, such as entrance cards and codes to enter our office.
Training of relevant staff to ensure they are aware of our responsibility when processing your personal data.

8. YOUR RIGHTS

As a data subject, you have a number of rights pursuant to the GDPR with regards to your personal data and those who process them. These rights are presented and explained below.

8.1 THE RIGHT OF ACCESS

You have the right to access your personal data. Observe that we may ask for additional information to ensure an effective processing of your request.

8.2 THE RIGHT TO RECTIFICATION

If your personal data is inaccurate or incomplete, you have the right to request rectification. This includes a right to add such personal data that is missing and that is relevant taking into account the purpose of the processing.

8.3 THE RIGHT TO ERASURE

You have a right to request that we erase your personal data if:

the personal data is no longer necessary in relation to the purposes for which it was collected or processed;
you withdraw consent on which the processing is based, and there is no other legal grounds for the processing;
the processing is carried out for direct marketing and you object to the personal data being processed;
you object to processing that is based on a weighing of interest, and there are no legitimate reasons that override your interest;
the personal data has been unlawfully processed; or
erasure is required in order to fulfil a legal obligation.

In certain exceptions, we may not be required to erase your personal data. This includes if it is necessary in order to satisfy other important rights or to fulfil a legal obligation.

8.4 THE RIGHT TO RESTRICTION OF PROCESSING

In certain cases, you have the right to request that we restrict our processing of your personal data. This includes cases where: you have contested the accuracy of the personal data; the processing is unlawful and you oppose erasure and request restriction of use instead; we no longer need the personal data for the processing but the personal data is required by you for a legal claim; or you have objected to processing based on a weighing of interest pending the verification whether our legitimate grounds override yours.

Where the processing of your personal data has been restricted, we may store your personal data and process it if it is necessary for the establishment, exercise or defence of a legal claim or if you have given your consent to it. If the restriction on processing ceases to apply, you have the right to be informed.

8.5 THE RIGHT TO OBJECT

You have the right to object to the processing of your personal data if the processing is based on our legitimate interest. If you object to our processing, we may only process your personal data if it can be demonstrated that there are compelling legitimate reasons for the processing that override your interests, rights and freedoms. In other cases, we may only process the personal data to manage legal claims.

You may also object if the personal data is processed for direct marketing purposes, after which the personal data may no longer be processed for such purposes.

8.6 THE RIGHT TO DATA PORTABILITY

If the processing of your personal data is based on your consent or a contractual obligation with you, you have the right to request that the personal data that you have transferred to us is transferred to another personal data controller. This requires that the transfer is technically possible and can be automated.

9. QUESTIONS OR EXERCISING YOUR RIGHTS

If you have questions or want to exercise your rights, you may contact our DPO at [email protected]. You may also file a complaint with or contact the Swedish Authority for Privacy Protection (IMY). You can find contact details to IMY on their website http://www.imy.se/en.

10. MODIFICATIONS TO THIS PRIVACY POLICY

We continuously work to improve our services and may change how we process personal data in the future. This may include changes to the personal data we process, how it is processed and for what purposes. This Privacy Policy may thereby be updated and modified from time to time. The date on which this Privacy Policy was last updated appears at the top of this Privacy Policy.

We will provide notification, or request your consent, for modifications if and as required by applicable laws and regulations.