MoneyGram Global Privacy Notice

MoneyGram conducts its business primarily through the wholly-owned subsidiary MoneyGram Payment Systems Inc., a U.S. entity located at 1550 Utica Avenue South, Suite #100, Minneapolis, MN 55416 ("MPSI”). MPSI is often the data controller in relation to the use of Services, including MoneyGram’s marketing activities. The data controller for non-custodial wallet is MoneyGram Software Services, Inc Registration Address: 1550 Utica Ave S Ste 100 Minneapolis MN 55416. However, depending on your location and the way you interact with MoneyGram, a different MoneyGram company may be the data controller. For example, if you use Services in the European Economic Area (“EEA”), you will be interacting with MoneyGram International SA, a Belgium entity with its registered address at Rue Joseph Stevens BE-1000 Brussels (“MIS”), who is the data controller.

Please click here for a list of the companies that are data controllers, depending on your location and the way you interact with them.

Some of MoneyGram companies have appointed a data protection officer or equivalent (“DPO”) to oversee the processing of personal data. Click here to check which company has appointed a DPO, and if so, how to contact the DPO.

The categories of personal data we process will vary based on your relationship or interaction with us. This may include the following:

• Personal identification information, such as your name, residential and/or business address, e-mail address, telephone number, date of birth, gender, images, marital status, country of citizenship, and identification numbers (e.g., national identification number(s) and /or national ID details);
• Transaction and financial details, such as money transfer data relating to the sender and the receiver, bill paying details, as well as bank and credit information;
• Business-related information that helps us provide Services to you, such as membership in our loyalty programs, how you use our Services, employer information, communication preferences, or your marketing choices;
• Technological information, such as IP address, browser, device information, including device identifiers and device’s advertising ID, mobile application usage data, information collected through cookies, pixel tags, browser analysis tools, server logs, web beacons, SDK and other similar technologies (collectively, cookies), your current location from your mobile device, demographic information and closed-circuit television ("CCTV”) data. Some of the information is collected via cookies. For details on how we use cookies, please see our Cookie Notice; and
• Compliance information, such as may be requested by law enforcement or pursuant to our compliance procedures to comply with legal obligations and internal policies such as concerning fraud prevention, anti-money laundering and sanctions.

We collect personal data directly from you, for example, when you contact our call center, complete online forms, register for our loyalty programs, apply to become an agent, or use the Services.

In some situations, we also collect your personal data from other people or organizations such as: money transfer senders, our third-party vendors, public record sources (federal, state or local government sources), MoneyGram affiliates and subsidiaries, social media platforms, MoneyGram partners or agents, depending on our relationship with them.

We must have a lawful basis for processing your data. We explain this in the table and subsequent section on marketing communications below. We also explain the purposes for which we use your data.

Failure to provide your personal data when requested for contract performance, business purposes or compliance with legal obligations may prevent us from being able to carry out our tasks under the contract or our business purposes and/or comply with our legal obligations, therefore we may need to terminate the contract with you.

How We Send Marketing Communications

The legal basis for sending you marketing communications depends on your location and the applicable regulations. We strive to ensure that all communications are relevant and align with your preferences.

Consent:

In jurisdictions where explicit consent is required, we will only send you marketing communications if you have given your consent. This includes:

• Sending marketing communications via email, SMS, or push notifications with offers, promotions, coupons, or incentives that we believe may be of interest to you.
• Ensuring that your preferences are respected and that no communications are sent without your prior approval, in line with local regulations.

You may withdraw your consent at any time by following the unsubscribe option provided in our communications or contacting us directly at privacyprogramoffice@moneygram.com..

Legitimate Interest:

If you are an existing customer, we may send you marketing communications unless you choose to opt out. These communications are designed to keep you informed about relevant products and services. This includes:

• Marketing communications via email or SMS with offers, promotions, coupons, or incentives from MoneyGram that we believe may be of interest to you.
• Communications about similar products or services that align with your previous interactions or purchases.

You can opt out of these communications at any time by following the unsubscribe link provided in our messages, contacting us directly at privacyprogramoffice@moneygram.com., or replying “STOP” to an SMS.

Opt-Out:

In certain jurisdictions, we may send marketing communications by default, provided that you have the ability to opt out at any time. This includes:

• Notifications about MoneyGram’s latest products, services, or special promotions unless you indicate your preference to no longer receive such communications.

You can opt out of these communications at any time by following the unsubscribe link provided in our messages, contacting us directly at privacyprogramoffice@moneygram.com., or replying “STOP” to an SMS.

Contractual Performance:

If you are a member of the MoneyGram Plus Rewards™ loyalty program, we may send you communications related to the program. This includes:

• Offers, benefits, and rewards tailored to your membership as part of fulfilling our obligations under the loyalty program.
• Updates and notifications about program-specific promotions or exclusive member deals, as determined by MoneyGram from time to time.

These communications are sent as part of your membership benefits and are necessary to deliver the services associated with the program.

We share your personal data with:

• Other companies in MoneyGram, in particular: MoneyGram International, Inc. (Texas, USA), MPSI, MIS and MoneyGram Poland Sp. z o.o. (Warsaw, Poland), for the performance of Services, internal administration and regular reporting in the context of a business re-organization or group restructuring, for system maintenance support, and for data hosting.
• Our third-party providers, the majority of whom process personal data on our behalf and in line with our instructions. These include IT service providers, providers of auditing and control services, legal services, recovery, printing, disposal of documents, postal and courier services, companies and organizations that provide fraud protection services, and our agents and third-party providers we use to market Services or provide you with personalized ads or interest-based ads.
• Social media platforms; YouTube, Tik Tok and Meta - for details on how we share data with Meta, see here.
• Buyers or other successors in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets.
• Law enforcement bodies, courts and court enforcement authorities if we have to comply with any court order, law or legal process, including responding to any government or regulatory request.

MoneyGram operates globally and, therefore, personal data may need to be transferred to countries outside of where it was originally collected.

MoneyGram’s global headquarters is based in the United States, and several material functions and systems are operated from the US, which means that some personal data must be transferred to the US. We may transfer your personal data to MoneyGram’s data centers and call centers in the US, for processing and storage. MoneyGram has concluded an Intragroup Data Sharing and Processing Agreement to regulate intracompany data flows and data transfer clauses within data processing or data sharing agreements with third-party vendors.

All our personal data transfers are compliant with applicable data protection laws. The agreements we have in place within MoneyGram and with our third-party vendors include appropriate safeguards to ensure that the data flows are safe and that individuals can exercise their data protection rights. These include standard contractual clauses or other arrangements, as applicable in specific countries, and other safeguards as may be appropriate. We may also transfer data to countries with an adequate level of personal data protection based on the decisions adopted by competent authorities, such as the adequacy decisions adopted by the European Commission or the United Kingdom.

To learn more about our data transfers or to receive a copy of the appropriate safeguards we have adopted, please reach out to us using the contact details in the Section “How to contact us”.

We store your personal data as long as it is necessary to provide the requested Services and to fulfill applicable legal, accounting, tax or reporting obligations. The retention period is determined based on applicable requirements and obligations, which may include:

• Legal and regulatory requirements related to Services: Your personal data is retained as long as necessary to meet all legal obligations, including but not limited to trade, tax, and anti-money laundering laws and regulations. While we retain your personal data solely for the purpose of fulfilling legal obligations, your data will be restricted from being used for any other purposes.
• Customer service: We will retain your personal data for the period necessary for MoneyGram to defend against potential claims.
• Marketing: We will process your personal data for marketing purposes until consent is withdrawn or an objection to marketing communication is submitted.

We use a variety of robust physical, technical, organizational, and administrative safeguards to protect your personal data from unauthorized access, loss or alteration. You also play an important role in protecting your personal data. Please safeguard your login information, including account username and password, and do not share these with others. You should notify us immediately of any suspected unauthorized use of your account.

Depending on and subject to the applicable laws, you have certain rights regarding the personal data that we hold about you. These rights may include the following:

• access to and obtaining a copy of your personal data,
• rectification of your personal data if it is inaccurate or incomplete,
• restriction of the processing or erasure of your personal data (the right to be forgotten),
• data portability, if the processing, done using automated means is based on your consent or to perform a contract,
• objection to the processing of your personal data based on legitimate interests,
• withdrawal of your consent at any time; such withdrawal does not affect the lawfulness of processing of your personal data which was carried out prior to withdrawal.

If the applicable laws in your country offer different data protection rights, you are entitled to exercise such rights as well in line with those laws. We will endeavor to respond to your request within 30 days, but our response time may vary depending on the applicable laws. In some circumstances, we may be entitled to extend this period after notifying you. In order to respond to your request, we may need to confirm your identity. For that, we may ask you for some specific information or authenticate you in another way.

It is noteworthy that there can be situations in which MoneyGram will be unable to fulfill your request. For example, MoneyGram may not be able to delete your personal data if those data are still required for the purposes for which they were initially collected and processed, such as the need to retain certain personal data for compliance with legal regulations.

To exercise those rights, use the contact details in the Section “How to contact us”.

You can express your marketing choices in other ways:

• You can opt out of receiving marketing communications from us at any time by:
  • updating your choices on your MoneyGram profile or in the mobile application,
  • clicking on the “unsubscribe” link at the bottom of a MoneyGram marketing email,
  • replying “STOP” to an SMS.
• You can reset your device’s advertising ID by using the “settings” menu on your mobile device.

Data protection laws vary across the jurisdictions. In most countries, you are entitled to lodge a complaint with a relevant authority in your country (where you live, work or where the suspected privacy issue occurred), if you are concerned about processing of your personal data or if your rights have not been complied with.

However, we would like to encourage you to reach out to us first to share your questions or concerns or to exercise your rights. For that, you may use the contact details in the Section How to contact us”.

We do not make any decision based solely on automated processing, including profiling, which produces legal or similar effects concerning you.

We reserve the right to update this Notice at any time. The updated Notice will be available on the website. We will notify you directly of substantial updates that affect you.

If you have any questions about this Notice or our privacy practices or would like to exercise any of your data protection rights, please:

• email us at PrivacyProgramOffice@MoneyGram.com
• submit your query via a dedicated intake form,

and we will be more than pleased to assist you.

You may also contact us at our registered address, as provided in here. However, we encourage you to contact us first using one of the options above.

The notices below supplement this Notice in line with the applicable data protection laws in those countries / regions and apply to individuals in those countries / regions.

A. Turkey

1. Who is the data controller?

Please click here to see details of the data controller in Turkey, for the purposes of the data protection laws applicable in Türkiye, including the Law on Protection of Personal Data No. 6698 of 7 April 2016 (the "Law”).

2. Why we collect, use and store your personal data?

We collect and process your personal data by automated, semi-automated and non-automated means to the extent that such processing is part of a filing system.

3. What are your choices and rights?

In addition to the information in the Notice, you have the following rights, and we will respond to your applications under the Law within 30 days:

• the right to request that notification of transactions related to deletion/correction be sent to third persons, to w your personal data is transmitted;
• the right to erasure of your personal data if any of the conditions listed in art. 7 of the Law are met;
• the right to object to the occurrence of a circumstance which is against your interest that has come into existence as a result of analysis of your personal data solely by automatic systems;
• the right to demand compensation for the damage suffered as a result of unlawful processing of your personal data.

4. Application and Interpretation of the Global Privacy Notice

Under the “Why we collect, use and store your personal data” section above,

• the “Legitimate business purposes (so-called legitimate interest)” legal basis is interpreted as our (data controller’s) legitimate interest, and not that of others.
• The “Your consent” purposes are as follows: to personalize content and ads, if required; to send you marketing communications (via email, SMS or push notification) including offers, promotions, coupons or incentives we believe may be of interest to you; to allow you to participate in sweepstakes, contests and similar promotions, and to administer these activities; to display or deliver interest-based ads; to synchronize your contact list with your account; and to connect your account to a third-party platform.

We will notify you in the event of a new purpose in line with the Law.

B. Mainland China

1. What are the categories of your sensitive personal data which we process?

Sensitive personal data refers to personal data that, if leaked or used illegally, may easily lead to an infringement upon the human dignity of a natural person or the endangerment of the safety of his/her body or property. Sensitive personal data are as follows:

• your national identification number(s) and national ID details,
• your facial image,
• your social security or other taxpayer identification number(s),
• your banking details,

2. What are your choices and rights?

Under the Personal Information Protection Law (“PIPL”), in addition to the rights in the Notice above, you may request that personal data be transferred to a data controller designated by you, and you may ask us to explain the personal data processing rules.

We will respond to a request in which you exercise your data protection rights within 20 days.

In addition to the rights listed in the Notice, you have the right to restrict the use of your personal data for direct marketing purposes.

C. Hong Kong

1. What are your choices and rights?

Under the Personal Data (Privacy) Ordinance (Cap. 486), you are entitled only to the rights to request access to, and to request correction of your personal data.

D. CCPA en VCDPA

The California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020) and its implementing regulations (collectively, the “CCPA”); certain terms used in this supplement have the meanings given to them in the CCPA.

Information included in this supplement and this Notice will be updated at least once every twelve (12) months to reflect changes in our business, legal or regulatory obligations, so please check this Notice periodically for changes.

1. What are the categories of personal information that we process?

We may collect the following categories of personal information:

• Identifiers: identifiers, such as a real name, alias, postal address, unique personal identifier (e.g., device identifier, unique pseudonym, or user alias/ID), telephone number, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, date of birth, and other similar identifiers.
• Additional Data subject to Cal. Civ. Code § 1798.80: signature, physical characteristics or description, state identification card number, insurance policy number, education, bank account number, and other financial information, medical information, and health insurance information.
• Protected Classifications: characteristics of protected classifications under California or federal law, such as race, color, age, sex, gender, gender identity, marital status, disability, and military and veteran status.
• Online Activity: Internet and other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding your interaction with websites or applications.
• Sensory Information: audio, electronic, visual, and similar information.

2. Why we collect, use and store your personal information?

In addition to the information in the Notice, we process your personal information for the following “business purposes” as they are described in the CCPA:

• Auditing, including auditing compliance.
• Certain short-term, transient uses.
• Helping to ensure security and integrity.
• Debugging to identify and repair errors that impair existing intended functionality.
• Undertaking internal research for technological development and demonstration.
• Undertaking activities to verify or maintain the quality or safety of services or devices that are owned, manufactured, manufactured for or controlled by us, and to improve, upgrade, or enhance these.

We do not collect or process sensitive personal information with the purpose of inferring characteristics about individuals.

To the extent we process deidentified information, we will maintain and use the information in deidentified form and will not attempt to reidentify the information unless permitted by applicable law.

3. How we share your personal information?

In addition to the information in the Notice, we may have disclosed the following categories of your personal information for a business purpose to the following categories of third parties:

We do not sell or share for cross-context behavioral advertising purposes personal information of our individuals.

4. How to contact us?

To submit a request as an authorized agent on behalf of an individual, please use the contact details in the Section “How to contact us” in the Notice above.

Verifying Requests. To help protect your privacy and maintain security, we will take steps to verify your identity before granting you access to your personal information or complying with your request.

We may verify your identity by requiring you to sign into your MoneyGram company account. If you do not have a MoneyGram company account and you request access to, correction of or deletion of your personal information, we may require you to authenticate your email address and/or provide information about your employment dates with MoneyGram, prior payments from MoneyGram, prior correspondence with MoneyGram, or other details about your work for or relationship to MoneyGram.

In addition, if you do not have a MoneyGram company account and you ask us to provide you with specific pieces of personal information, we will require you to sign a declaration, under penalty of perjury, that you are the individual whose personal information is the subject of the request.