RESILIENT PAYMENT SYSTEMS EAST AFRICA LIMITED Privacy Policy Effective Date: 7 June 2025 Last Reviewed: 7 June 2026 Version: 1.5

1. Introduction Resilient Payment Systems East Africa Limited (“RPSE”, “we”, “us”, or “our”) is a financial technology company incorporated and operating in the Republic of Kenya, with operations across East and West Africa. We provide core banking, mobile banking, agency banking, payment switching, card management, settlement, and anti-money laundering (AML) technology solutions to banks, microfinance institutions, SACCOs, and other regulated financial institutions.

This Privacy Policy explains how we collect, use, store, share, and protect personal data when you interact with our websites (including resilientsystems.co), our cloud infrastructure (Resilient Cloud), our SMS platform (ResilientSMS), our CRM platform (SalesMate), our Re-Bank core banking suite, and any related services (collectively, the “Services”).

We are committed to handling personal data lawfully, transparently, and in accordance with the Kenya Data Protection Act, 2019 (DPA), the Kenya Data Protection (General) Regulations 2021, and, where applicable, equivalent legislation in the other jurisdictions in which we operate.

2. Who This Policy Applies To This Policy applies to: Visitors to our websites and digital platforms. Prospective clients who submit enquiry, demo-request, or architecture-review forms. Clients and their authorised representatives who subscribe to our Services. Employees, contractors, and consultants of RPSE. End users of financial institutions that deploy our Re-Bank, Mojaloop, or Tazama-based solutions (to the extent that RPSE processes data on their behalf as a data processor).

3. Data Controller and Data Processor RPSE acts as a data controller when it determines the purposes and means of processing personal data — for example, when managing its own client relationships, website analytics, and internal HR records. RPSE acts as a data processor when it processes personal data on behalf of a financial institution that has deployed our Re-Bank or payment-switch solutions. In those circumstances, the financial institution is the data controller and RPSE processes data only on documented instructions. Separate Data Processing Agreements (DPAs) govern such arrangements.

4. Personal Data We Collect

4.1 Data You Provide Directly Identity data: full name, job title, organisation name and type. Contact data: official email address, mobile number, company telephone number. Technical context data: current core banking system, preferred demo date, primary digital channels, target deployment timeline. Correspondence: emails, enquiry forms, support tickets, and any other communications you send to us.

4.2 Data We Collect Automatically Usage data: pages visited, time on page, browser type, operating system, and referring URL, collected via server logs and analytics tools. Device data: IP address, device identifier, and approximate geolocation derived from IP. Cookie data: session cookies, preference cookies, and analytics cookies (see Section 11 for full cookie details).

4.3 Data We Receive from Third Parties Business intelligence sources: publicly available information about organisations and their technology infrastructure, used to prepare personalised demonstrations. Partner referrals: contact details passed to us by accredited integration partners or resellers, subject to their own privacy notices.

5. Purposes and Legal Bases for Processing We process personal data only where a lawful basis exists under the Kenya Data Protection Act, 2019. The table below summarises our primary processing activities: Purpose

• Responding to demo and consultation requests — Pre-contractual steps at your request

• Delivering and supporting contracted Services — Performance of contract

• Sending product updates, whitepapers, and event invitations to existing clients — Legitimate interests (client relationship management)

• Sending marketing communications to prospects — Consent — you may withdraw at any time • Fraud prevention, AML monitoring, and platform security — Legitimate interests / legal obligation

• Complying with regulatory and legal requirements — Legal obligation • Improving our platforms and Services through aggregated analytics — Legitimate interests • Internal HR and payroll administration — Performance of contract / legal obligation

6. How We Share Personal Data We do not sell personal data. We may share personal data with: Service providers and sub-processors (e.g. cloud hosting providers, email delivery platforms, analytics tools) under binding confidentiality and data processing agreements. Integration partners and system integrators engaged on specific client projects, subject to NDA and DPA.

Regulatory and law enforcement authorities where we are required to do so by applicable law or court order. Prospective acquirers or investors in connection with any merger, acquisition, or restructuring of RPSE, subject to confidentiality obligations.

Where we transfer personal data outside Kenya, we ensure that an adequate level of protection is in place through appropriate safeguards such as standard contractual clauses or the recipient country’s data protection adequacy status.

7. Data Retention We retain personal data for as long as necessary to fulfil the purposes set out in this Policy and to comply with applicable legal, regulatory, and contractual obligations.

Specific retention periods include: Enquiry and demo-request data: 24 months from the date of submission, or until a contractual relationship is established.

Client contract data: 7 years from the end of the contract, in accordance with Kenyan tax and financial record-keeping requirements.

Website analytics data: 26 months on a rolling basis. Employee records: 7 years from the end of employment, or as required by statute.

When data is no longer required, we delete or anonymise it securely.

8. Data Security RPSE implements appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These measures include: Encryption of data in transit (TLS 1.2 or higher) and at rest. Role-based access controls and multi-factor authentication on all production systems.

Regular vulnerability assessments and penetration testing. ISO/IEC 27001:2022-aligned information security management practices. Incident response and breach notification procedures in accordance with the DPA.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Office of the Data Protection Commissioner (ODPC) within 72 hours and affected individuals without undue delay.

9. Your Data Protection Rights Under the Kenya Data Protection Act, 2019, you have the following rights in relation to your personal data: Right of access: to obtain confirmation of whether we hold your personal data and to receive a copy. Right to rectification: to have inaccurate or incomplete data corrected.

Right to erasure: to request deletion of your personal data where there is no compelling reason for its continued processing. Right to restriction: to request that we limit processing of your data in certain circumstances. Right to data portability: to receive your data in a structured, commonly used, machine-readable format.

Right to object: to object to processing based on legitimate interests or for direct marketing purposes. Right to withdraw consent: where processing is based on consent, to withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact our Data Protection Officer at the details in Section 12. We will respond within 21 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) at www.odpc.go.ke.

10. Children’s Privacy Our Services are directed at businesses and their professional representatives. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that we have inadvertently collected such data, we will delete it promptly. 11.

Cookies and Tracking Technologies Our websites use cookies and similar tracking technologies to enhance your browsing experience and gather analytics. The categories of cookies we use are: Strictly necessary cookies: required for the website to function and cannot be disabled. Analytics cookies: help us understand how visitors interact with our website (e.g. Google Analytics).

These are only set with your consent. Preference cookies: remember your settings and choices. You can control cookie settings through your browser preferences or our cookie consent banner. Disabling certain cookies may affect website functionality. 12.

How to Contact Us For any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data, please contact: Data Controller: Resilient Payment Systems East Africa Limited Registered Address: Nairobi, Kenya Website: www.resilientsystems.co

Privacy enquiries: privacy@resilientsystems.co 13. Changes to This Policy We may update this Privacy Policy from time to time to reflect changes in our practices, Services, or applicable law.

We will post the updated Policy on our website and, where the changes are material, notify affected individuals by email or prominent website notice.

The “Last Reviewed” date at the top of this document indicates when the Policy was last updated. Continued use of our Services after any update constitutes acceptance of the revised Policy.

This document was prepared for Resilient Payment Systems East Africa Limited and reflects data protection obligations under the Kenya Data Protection Act, 2019 and associated regulations.