Robinhood Europe, U.A.B. Privacy Policy (EU)

Last updated: 06 December 2023

This Privacy Policy sets out how the Robinhood entities set out in Annex 1 (“Robinhood”, “we”, “our”, or “us”) collect, process, and disclose your personal data in connection with our websites, apps, and other interactions (such as when you contact us or communicate or interact with us, for example via our pages or brand on social media websites, when you participate in offers, competitions, contests, sweepstakes or similar, when you participate in market research) in relation to our services (including when you are a prospective customer, customer or former customer (“Customer”)).

It also describes your data protection rights, including a right to object to some of the processing which we carry out in certain circumstances. More information about your rights, and how to exercise them, is set out in the “Your Data Subject Rights” section.

We also may provide you with additional information when we collect personal data where we feel it would be helpful to provide relevant and timely information.

You may contact us at any time using the information set out in the “How to Contact Us” section.

1. PERSONAL DATA WE COLLECT AND HOW WE COLLECT IT.

We process personal data about you when you use our website, apps, and when you interact with us in relation to our services, This includes:

• Information you provide to us and information relating to your communication, such as information you submit via forms on our websites and apps and in surveys and focus groups and information you provide us if you contact us and information relating to our handling of your communication.
• Usage and tracking information. We automatically collect certain types of usage and device information when you use our services or interact with our emails. This includes device identifiers (like IP address or mobile device identifiers), browser type, Internet service provider, platform type, device type, operating system, pages or features you use, time and date of access, unique device or account ID, usage information and other similar information. We collect this information using cookies and other technologies as described in our Cookie Notice.

In relation to information you provide us, the provision is optional, but if it is not provided this may affect your ability to receive certain services or take part in certain activities where the information is needed for those purposes.

Information about other sources of personal data is set out in the next Section.

We process the following categories of personal data in connection with our Customers and our services:

• Identity and contact data, such as your name, date of birth, email address, mailing address, telephone number, marital status, other data from government-issued identification documents, and facial images for verification and authentication purposes.
• Financial data, such as your bank account and payment card details, and information about your income, account balances, securities holdings, financial transaction history, credit history, and tax information.
• Profile data, such as your username and password, your knowledge assessment results, and your interests and preferences.
• Marketing and advertising data, such as participation in focus groups, survey responses, contests/sweepstakes, your marketing choices, information regarding your preferences or attributes based on your use of our services, customer profiles and segments based on characteristics and combinations of characteristics, such as financial transaction history and holdings, and your interactions with advertising and marketing communications.
• Customer support and communication data, such as your feedback and interactions with our customer support teams and other communications you have with us.
• Service and transactional information. When you receive, submit, or complete a transaction via the services, we collect information about the transaction, such as transaction amount, type and nature of the transaction, and time and date of the transaction.

We collect information you directly provide when you use our services. For example, data is collected through application and sign ups, obtained from your use of our service, from forms completed by you, and from correspondence with you. Information about other sources of personal data is set out in the next Section.

Where we collect personal data to administer our contract with you or to comply with our legal obligations, this is mandatory and we will not be able to provide our services without this information. In other cases, provision of the requested personal data is optional, but this may affect your ability to procure or access certain functionalities or services where the information is needed for those purposes.

2. THIRD PARTY SOURCES

Where you are a website or app user, we collect information from advertising partners in connection with our ad campaigns that have surfaced on other platforms, such as the ads you clicked on and other interactions with our ads.

When you participate in research, we obtain information that you provide our service providers and partners that are assisting us with market research from those service providers and partners as well as their analysis in relation to research contributions.

When you participate in offers, competitions, contests, sweepstakes or similar that we offer, we collect participation data from service providers and partners that we work with in relation to the offer or competition.

When you communicate or interact with us, our pages or brand on social media websites, we collect information about your communication or interaction from social media companies and service providers we engage in order to provide us analytics in relation to our social media pages and presence.

In relation to our Customers and services, we also obtain information about you from third party sources as described below.

• Vendors and business partners. We collect contact and account information from technical, currency, payment and delivery service providers, fraud risk ratings, sanctions status, and related information from anti-fraud, anti-money laundering and sanctions reporting service providers, results of verification checks from providers of identity verification and related services, and attributes and interactions with different digital properties and advertisements from analytics and advertising service providers. We also use Google autofill features to help complete addresses during onboarding.
• Payment Services Providers. We support account linking and payment services through a third-party provider. We may receive details about your relationship and accounts with your financial institution.
• Connected services. If you link, connect, or log in to your Robinhood account with a third-party service (e.g., Google, Apple), the third-party service may send us information such as your profile information from that service. This information varies and is controlled by that service or as authorised by you via your privacy settings at that service. We may also collect location data through these services if this feature is enabled.
• Publicly available data, such as contact information, social media content made public, sanctions lists and similar information.

3. OUR PURPOSES FOR PROCESSING PERSONAL DATA

We have to have a legal basis to process your personal data. We explain these legal bases below alongside the purposes for which we process your data.

• Consent
  • In certain limited cases, we ask for your consent to use your personal data. Whenever we ask with your consent, we will explain the situations where we use your personal data and for what purposes.
• Contractual performance
  • We have obligations under our contract with you, depending on the nature of the contract. To fulfil these obligations we have to use your personal data.
• Legitimate interests
  • We can process your personal data when this is necessary for us to achieve a business purpose, or where this is necessary for someone else to achieve their purpose. We explain below what interests we, or others, are trying to achieve when we process your data. Where we process personal data on the basis of a legitimate interest, then – as required by data protection law – we have carried out a balancing test to document our interests, to consider what the impact of the processing will be on individuals and to determine whether individuals’ interests outweigh our interests in the processing taking place. You can obtain more information about this balancing test by using the contact details at the end of the notice.
• Legal obligation
  • As an organisation we have obligations to comply with legal, regulatory, and other requirements under EU/EU Member State laws. In certain cases, we will have to use your personal data to meet these obligations.

In relation to website and app users, individuals that interact with us, our pages or brand on social media websites, individuals that participate in offers, competitions, contests, sweepstakes or similar and individuals that participate in market research:

Legal Basis: Legitimate interests

• Providing our website and apps and the functionalities on our websites and apps
• Handling and responding to queries, comments, complaints and other communications you send us
• Conducting, administrating and fulfilling offers, competitions, contests, sweepstakes or similar
• Carrying out market research on our brand, products and services and how we compare to others in the market in order to understand how we can improve our brand, products and services and to inform our marketing and promotional strategies
• Responding to and interacting with social media users and analysing interaction with our social media pages and our brand on social media websites
• Maintaining the security of our websites and apps and detecting, investigating, monitoring, remediating and/or preventing security or cyber incidents
• System administration, operation, testing and support
• In connection with protecting and enforcing the rights, property, security or safety of us, our business, our customers or others, including investigating and helping to prevent fraud or other unlawful activity
• Understanding how visitors engage with our websites and apps and monitoring, improving and optimising the performance of our websites and apps
• Meeting requests from any regulatory, prosecuting, law enforcement, tax or governmental authorities, courts or tribunals
• In connection with establishing, exercising or defending legal claims
• Compliance, regulatory, audit and investigative purposes

Legal Basis: Consent

• Sending you direct marketing by in-app messaging, email or SMS, including newsletters, product announcements, partner offerings, surveys, contests or sweepstakes, events, or announcements
• Using cookies or similar technologies for the purposes explained in our Cookie Notice

Legal Basis: Legal obligation

• Where we are required by law to process your personal data, including making legally required disclosures to any regulatory, prosecuting, tax or governmental authorities, courts or other tribunals

In addition, in connection to our Customers and services:

Legal Basis: Contractual necessity

• Processing account applications, providing products and services to our customers, managing customer accounts and billing, providing contractually required service, relationship or transactional information and otherwise performing our obligations under our contract with you
• Administering and facilitating contests, sweepstakes, and promotions and processing and delivering entries and rewards in accordance with the terms of the contest, sweepstake or promotion

Legal Basis: Legitimate interests

• Managing our relationship with you, which includes notifying you about changes to our terms or this Privacy Policy
• Marketing and business development activities and analysis, including analysis to understand what products and services may be of interest to you and others for direct marketing and advertising purposes
• Handling and responding to queries, comments, complaints and other communications you send us
• Understanding how visitors engage with our services and monitoring, improving and optimising the performance of our services and developing the services we offer
• Identifying and managing financial, regulatory and reputational risk
• Meeting legal requirements in other jurisdictions, including required disclosures to any regulatory, prosecuting, law enforcement, tax or governmental authorities, courts or tribunals
• Meeting requests from any regulatory, prosecuting, law enforcement, tax or governmental authorities, courts or tribunals
• In connection with protecting and enforcing the rights, property, security or safety of us, our business, our customers or others, including investigating and helping to prevent fraud or other unlawful activity
• Information security purposes (including detecting, investigating, monitoring, remediating and/or preventing security or cyber incidents) and detecting and preventing fraud
• In connection with establishing, exercising or defending legal claims, including enforcing and carrying our contracts and agreements
• For compliance, regulatory, audit and investigative purposes
• Personalising our services, including by suggesting and customising content in the app based on your interactions with Robinhood services.

Legal Basis: Consent

• Personalised advertising when permitted by your privacy choices.
• Sending you direct marketing by in app messaging,email and SMS , including newsletters, product announcements, partner offerings, surveys, contests or sweepstakes, events, or announcements
• Using cookies or similar technologies for the purposes explained in our Cookie Notice

Legal Basis: Legal obligation

• Complying with EU legal requirements, including those associated with being an authorised virtual asset services provider, ”know your customer,” anti-fraud and anti-money laundering rules, audit and reporting obligations, maintenance of accounting and tax records, sanctions checking/screening, anti-terrorism laws and regulations and fighting crime, politically exposed persons screening, and international tax reporting
• Making legally required disclosures to any regulatory, prosecuting, law enforcement, tax or governmental authorities, courts or tribunals

4. DISCLOSURES OF YOUR PERSONAL DATA

We are committed to maintaining your trust, and we want you to understand when and with whom we share information about you. We share personal data about you in the instances described below.

Third-party service providers. We share information about you with our third-party service providers that perform services for us, such as fraud and crime prevention services, and sanctions screening, advertising and market research services, mailing services, tax and accounting services, customer support and account management services, backend engineering services, contest fulfilment services, market research services, web, platform and data hosting services and analytics services. We use an identification verification service provider to determine using biometric means (based on your consent) whether a selfie you take matches the photo in your government-issued identification and to gather information needed for any manual identity verification we carry out.

Payment Services Providers. We support account linking and payment services through a third-party provider. We may share details about your Robinhood relationship and accounts with your financial institution.

Companies in which you hold securities. We provide your name, address, email address, and securities positions to requesting companies in which you hold securities in relation to your rights and participation as a shareholder in those companies.

Robinhood affiliates. We share personal data about you with other companies in the Robinhood group. This includes sharing personal data with Robinhood group entities, including in the US, who provide infrastructure, operational, customer service, technical and IT services. We also share personal data between the controllers listed in Annex 1 for the purposes described under this Privacy Policy.

Sale of our business. We may share information about you in connection with a corporate transaction, a merger, consolidation, reorganisation, financing, change in control or acquisition of all or a portion of our business by a third party and as part of any due diligence activities in relation to the foregoing, or in the unlikely event of a bankruptcy or similar proceeding.

Third parties in relation to legal claims: We disclose personal data to third parties as required in order to establish, exercise or defend or to protect legal claims, including in relation to our contracts with our customers and in order to protect the rights, property or safety of us, our business, our customers or others, including to legal advisors, government and law enforcement authorities, courts and tribunals and with other parties involved in, or contemplating, legal proceedings.

Regulatory, prosecuting, law enforcement, tax or governmental authorities, courts or tribunals. We disclose information about you to these third parties upon their request or as required by law as set out in Section 3 above.

With your consent. We share information about you for any other purposes disclosed to you with your consent.

5. WHERE WE SHARE PERSONAL DATA

As a U.S. headquartered company, most of our IT systems are hosted in the United States (including on third party systems). We also share personal data with our group companies in the U.S. As a result, we will transfer your personal data to this jurisdiction, including to our staff members who are located there. We transfer your personal data on the basis of EU standard contractual clauses.

We also transfer your personal data to third parties that host or access personal data outside of the European Economic Area (“EEA”), including Canada, India, Columbia and the Philippines.

Where the country outside the EEA is a country which is subject to an adequacy decision by the European Commission, we rely on that adequacy decision of the transfer (for example, for Canada).

For the other countries not subject to an adequacy decision as described above, we take steps to ensure your personal data is adequately protected. We rely on EU standard contractual clauses. To the extent required or permitted by data protection law, we may alternatively rely on an appropriate Data Protection Framework certification, a vendor's processor binding corporate rules and/or other data transfer mechanisms available under EU data protection laws. A copy of the relevant mechanism can be obtained for your review on request by using the contact details below.

6. HOW LONG WE RETAIN YOUR PERSONAL DATA

With respect to our Customers and our services, we retain most personal data for the duration of your relationship with us and a period of up to seven years after that. However, different personal data will be subject to different retention periods depending on the circumstances or applicable law. 7. YOUR DATA SUBJECT RIGHTS

You have the right to ask us for a copy of your personal data; to correct, delete or restrict processing of your personal data; and to obtain the personal data you provide in a structured, machine-readable format. In addition, you can object to the processing of your personal data in some circumstances (in particular, where we don’t have to process the data to meet a contractual or other legal requirement, or where we are using the data for direct marketing purposes). Where we have asked for your consent, you may withdraw consent at any time. If you ask to withdraw your consent to Robinhood processing your data, this will not affect any processing which has already taken place at that time.

These rights may be limited, for example if fulfilling your request would reveal personal data about another person, or if you ask us to delete information which we are required by law or have compelling legitimate interests to keep. If you have unresolved concerns, you have the right to complain to a data protection authority. For a list of authorities in the EU, see here.

You can exercise your rights by contacting us using the details set out in Section 9. You can also use our self-service tool by logging into your Robinhood account, navigating to the Security and Privacy menu, and selecting the option to either Download Personal Data or Request Data Deletion for access and deletion rights, respectively.

You can opt-out of direct marketing at any time by contacting us using the information in the ‘How to Contact Us’ section or by using the “unsubscribe” option in any direct marketing communication.

8. CHANGES TO THIS PRIVACY POLICY

This Privacy Policy will evolve with time, and when we update it, we will revise the "Last Updated" entry above and post the new Privacy Policy and, in some cases, we provide additional notice (such as adding a statement to our website or sending you a notification). We may communicate any changes with you from time to time in a manner we determine.

9. HOW TO CONTACT US

If you have any questions about this Privacy Policy, wish to exercise your rights or wish to contact us for any other reason in relation to our personal data processing, please contact us at privacy@robinhood.com. You may contact our Data Protection Officer at 85 Willow Road, Menlo Park, CA, 94025 United States, ATTN: Data Protection Officer.

EU Controllers

Robinhood Markets, Inc. Email: privacy@robinhood.com Address: 85 Willow Road, Menlo Park, CA 94025 United States

Robinhood Crypto, LLC (“RHC”) Email: licensing@robinhood.com Address: 85 Willow Road, Menlo Park, CA 94025 United States

Robinhood Europe, UAB Email: privacy@robinhood.com Address: Mėsinių str. 5, Vilnius, the Republic of Lithuania

Robinhood International, Inc. Email: privacy@robinhood.com Address: 85 Willow Road, Menlo Park, CA 94025 United States

Robinhood Securities, LLC Email: privacy@robinhood.com Address: 500 Colonial Center Parkway Suite 100, Lake Mary, FL 32746 United States

Robinhood U.K. Ltd. Email: privacy@robinhood.com Address: 70 Saint Mary Axe Suite 307, London, England, England EC3A 8BE

Say Technologies Email: dataprivacy@saytechnologies.com Address: 85 Willow Road, Menlo Park, CA 94025 United States