1. General Provisions

1.1. Parties; Scope of this Notice

This privacy policy/notice (the “ Notice ”) sets out the terms and conditions governing the collection,

recording, input, systematization, organization, storage, use, modification, restoration, transfer,

rectification, blocking, deletion/destruction, and other operations performed with personal d ata,

irrespective of the form and method of performing such operations (collectively, “ Processing ”) of visitors

and users (including registering/registered users, collectively, the “Client”) of (i) the website(s) and (ii)

web/mobile applications operated u nder the brand “VELAR CAPITAL” by “VELAR CAPITAL” Closed Joint -

Stock Company (“ Velar ” or the “ Company ”), together, the “ Platform ” (Website and Applications).

Velar operates the Platform and provides technological infrastructure, user interface, marketing materials,

and communication channels through which Clients may access certain financial and investment services.

Certain financial, investment, brokerage, account management, custody, and other regulated services

accessible through the Platform (the “Regulated Services”) are provided exclusively by “SIRIUS CAPITAL”

Closed Joint -Stock Company (Sirius Capital CJSC), a regulated investment company licensed and

supervised by the Central Bank of the Republic of Armenia and operating in accordance with the legislation

of the Republic of Armenia.

Velar does not independently provide regulated investment, brokerage, custody, or other licensed

investment services.

Velar acts as an independent data controller with respect to Processing carried out for operating and

improving the Platform, marketing Velar’s own activities, and providing Platform support. Sirius Capital

CJSC acts as an independent data controller with respect to Processing carried out for the provision of

the Regulated Services, including KYC/AML and statutory recordkeeping.

1.2. Application of this Notice

This Notice applies to Processing carried out by Velar in connection with the operation of the Platform,

including collection of data necessary to enable Clients to access Regulated Services provided by Sirius

Capital CJSC via the Platform.

1.3. Relationship with Sirius Capital CJSC; Data Transfers

Regulated Services are rendered exclusively by Sirius Capital CJSC. The Client’s contractual and legal

relationship in respect of Regulated Services arises solely with Sirius Capital CJSC and is governed by the

relevant agreements, disclosures, policies, a nd applicable law of the Republic of Armenia.

By accepting this Notice, using the Platform, or submitting personal data through the Platform, the Client

provides informed, freely given, and explicit consent (where consent is the applicable legal basis) to Velar’s

Processing of the Client’s personal da ta and to the transfer of such data to Sirius Capital CJSC for the

purposes described in this Notice.

1.4. Marketing Communications

Where the Client enters into any contract for Regulated Services, such contract is concluded exclusively

with Sirius Capital CJSC and not with Velar.

From the time of accepting this Notice or using the Platform, the Client expressly and knowingly consents

to receiving advertising, promotional, and informational communications from Velar through available

channels (including email, SMS, push notification s, phone calls, in -app alerts, and social media), subject

to the Client’s right to opt out at any time as described in Section 9.

Unless expressly stated otherwise, marketing communications distributed by Velar shall not be deemed to

constitute communications, offers, recommendations, or representations made by Sirius Capital CJSC.

Velar will not send marketing communications where prohibited by applicable law and will apply

appropriate frequency and content limitations consistent with reasonable expectations of Clients.

1.5. Transfer of Data to Sirius Capital CJSC; Separate Responsibility

The Client consents to the transfer to Sirius Capital CJSC of personal data and other information collected

through the Platform, including identification data, contact details, financial and account -related

information submitted through the Platform, tech nical data, behavioral data, cookie/analytics data, and

other data generated through use of the Platform, to the extent necessary to enable Sirius Capital CJSC

to provide Regulated Services, conduct identification and verification, comply with AML/CFT and other

regulatory requirements, execute transactions, and fulfill contractual and legal obligations.

Upon receipt of such data, Sirius Capital CJSC processes personal data as an independent data controller

in accordance with its own privacy documentation and the legislation of the Republic of Armenia. Velar is

not responsible for Sirius Capital CJSC’s sub sequent Processing within the scope of Regulated Services.

Nothing in this Notice creates joint controllership between Velar and Sirius Capital CJSC, unless expressly

required by applicable law for a specific Processing activity, in which case the parties’ respective roles and

responsibilities will be made availab le to Clients as required.

2. Legal Bases for Processing

Velar processes personal data through the Platform in accordance with the legislation of the Republic of

Armenia, including the RA Law “On Personal Data Protection”, on one or more of the following grounds

(as applicable): (i) the Client’s consent; (ii) ta king steps at the request of the Client prior to entering into

a contract (including facilitating onboarding to Regulated Services); and (iii) the legitimate operation,

security, and improvement of the Platform.

To the extent personal data is transferred to Sirius Capital CJSC for Regulated Services, Sirius Capital

CJSC processes such personal data as an independent data controller in accordance with, inter alia:

• the RA Law “On Personal Data Protection”;

• the RA Law “On the Securities Market”;

• the RA Law “On Combating Money Laundering and Terrorism Financing”;

• other applicable normative acts; and

• the service agreements and disclosures concluded between the Client and Sirius Capital CJSC.

Processing by Sirius Capital CJSC for regulatory compliance (including identification, AML/CFT, reporting,

transaction monitoring, supervision, audits, and statutory recordkeeping) is performed on the legal

grounds established by the legislation of the Rep ublic of Armenia and is not performed on behalf of Velar.

Data relating to legal entities is processed pursuant to applicable Armenian legislation, including the RA

Law “On State Registration of Legal Entities, Separate Subdivisions of Legal Entities, Institutions, and

Individual Entrepreneurs.”

Where consent is relied upon, the Client may withdraw consent at any time; however, withdrawal of

consent does not affect the lawfulness of Processing carried out prior to withdrawal and may result in the

inability to provide certain Platform features and/ or facilitate access to Regulated Services.

3. Categories of Personal Data Processed and Methods of Collection

3.1. Data Submitted by Clients for Access to Regulated Services

To enable access to Regulated Services provided exclusively by Sirius Capital CJSC, the Client may be

required to submit personal data and supporting documentation via the Platform, which may include:

Individuals / Individual Entrepreneurs

• real-time selfie (online self -portrait);

• identity document or other official document containing a photograph and (at minimum) name,

surname, citizenship, registration address (if any), date and place of birth, series and number,

date and place of issuance;

• place of residence, contact details;

• bank account details;

• for individual entrepreneurs: registration and taxpayer details.

Additional information for regulatory compliance may include information and documents regarding

residency, marital status, employment, income, source of funds/source of wealth, and other

identification/verification data required by AML/CFT and other regul ations.

Legal entities

• state registration extract/certificate and corporate documents (e.g., charter);

• identification and taxpayer numbers (where applicable);

• registered address and place of business;

• bank account details;

• information on management bodies and authorised signatories;

• identification data of authorized representatives;

• information on beneficial owners and control structure to the extent required for AML/CFT

compliance;

• financial statements and other data where required.

All such data and documentation collected through the Platform may be transferred to Sirius Capital CJSC

for identification, verification, contractual onboarding, transaction monitoring, and other statutory

obligations. Sirius Capital CJSC independently de termines the scope and necessity of data for Regulated

Services.

Velar does not independently perform regulated identification or AML/CFT verification assessments; Velar

facilitates secure collection and transmission to Sirius Capital CJSC.

The Client is responsible for ensuring that information provided is accurate, complete, and up to date.

Personal data is processed in a manner proportionate to the purposes set out in this Notice and applicable

requirements.

Velar does not intentionally collect “special category”/sensitive personal data (e.g., health data) through

the Platform, unless strictly necessary for legal compliance and expressly requested by Sirius Capital CJSC

under applicable law; Clients should not provide such data unless specifically requested.

3.2. Technical and Usage Data

When using the Platform, Velar may collect technical and usage data, including IP address, access time

and date, pages/screens visited, language settings, browser type, device identifiers, operating system,

application version, and other interaction data. This data is collected to operate, secure, maintain,

troubleshoot, and improve the Platform and to prevent fraud and abuse.

To the extent necessary for the provision of Regulated Services (e.g., security, authentication, fraud

prevention), such technical data may be transferred to Sirius Capital CJSC, which then processes it

independently in connection with Regulated Services.

3.3. Sources of Collection

Velar collects personal data by the following means:

• when the Client registers on or uses the Platform;

• when the Client submits inquiries via “Contact Us” or other communication channels;

• through passive collection (cookies, SDKs, similar technologies) during use of the Platform;

• where applicable and legally permitted, through queries to publicly available or authorized

state/local information systems for onboarding facilitation.

3.4. Processing Principles

In processing personal data, Velar is guided by principles including legality, fairness, purpose limitation,

data minimization, relevance, accuracy, and security; transparency toward data subjects; enabling data

subjects to influence accuracy and completen ess; and maintaining internal controls and readiness for

inspections.

Processing conducted independently by Sirius Capital CJSC in connection with Regulated Services is

governed by Sirius Capital CJSC’s policies and applicable regulatory obligations.

4. Purposes of Processing

4.1. Purposes of Processing by Velar

Velar processes personal data for:

• operating, administering, and improving the Platform;

• enabling Clients to submit applications and access Regulated Services provided by Sirius Capital

CJSC via the Platform;

• communicating with Clients and providing Platform support;

• conducting advertising and marketing campaigns related to Velar and/or the Platform;

• maintaining accuracy and updating data within Velar’s systems (where applicable);

• ensuring cybersecurity, technical integrity, fraud prevention, and incident response.

Velar does not provide regulated investment or brokerage services.

4.2. Purposes of Processing by Sirius Capital CJSC

Sirius Capital CJSC processes personal data transferred to it for providing Regulated Services, including:

• opening and managing client accounts;

• concluding and performing agreements with Clients;

• identification and verification;

• AML/CFT procedures and sanctions screening;

• transaction monitoring, fraud detection, and security;

• complying with Armenian legal and regulatory requirements (including reporting and supervisory

obligations).

Sirius Capital CJSC independently determines purposes and means of its Processing.

4.3. Aggregated/De -identified Data

Velar may create aggregated and/or de -identified datasets from Platform usage data for analytics, security,

and business planning. Such datasets are not intended to identify Clients. Where de -identified data is later

combined with other data in a manner th at could re -identify a Client, it will be treated as personal data

under this Notice.

5. Security Measures

5.1. Measures Implemented by Velar

Velar implements appropriate legal, organizational, and technical measures consistent with Armenian law

and internal information security policies, including access controls, technical safeguards to prevent

unauthorized access/alteration/disclosure/destruc tion, and internal monitoring.

Access to personal data is limited to authorized personnel on a need -to-know basis. Personnel with access

are bound by confidentiality obligations and may incur disciplinary, administrative, civil, and criminal

liability under Armenian law for unlawful dis closure or misuse.

5.2. Measures Implemented by Sirius Capital CJSC

Upon transfer of data, Sirius Capital CJSC independently implements appropriate measures in accordance

with Armenian law, regulatory requirements applicable to licensed investment companies, AML/CFT

requirements, and its internal security/compliance polici es.

Nothing in this Notice imposes joint security obligations or joint liability between Velar and Sirius Capital

CJSC.

5.3. Third -Party Service Providers; Cross -Border Transfers

Where Velar uses third -party service providers to operate the Platform (e.g., hosting, analytics,

messaging), Velar ensures appropriate contractual and technical safeguards.

Where Sirius Capital CJSC uses third -party providers in connection with Regulated Services, Sirius Capital

CJSC ensures safeguards consistent with applicable laws and regulations.

Where personal data is transferred outside the Republic of Armenia, the transferring entity implements

legal mechanisms intended to ensure adequate protection of personal data.

Velar may use cloud infrastructure, communications providers, and analytics tools that process data in

jurisdictions outside Armenia; where applicable, Velar will implement safeguards required by law

(including contractual protections) and will limit cross -border transfers to what is necessary for Platform

operation, security, and analytics.

In the event of a personal data breach that creates risks to the rights and freedoms of Clients, Velar will

take reasonable steps to investigate, mitigate, and, where required by applicable law, notify competent

authorities and/or affected Clients.

6. Retention (Storage Periods)

6.1. Retention by Velar

Velar retains personal data only for the period necessary to fulfil the purposes in Section 4.1 (Platform

operation, support, security, marketing), unless a longer retention period is required by law (e.g., for

dispute resolution, compliance, or audit need s). Velar periodically reviews retention practices.

6.2. Retention by Sirius Capital CJSC

Sirius Capital CJSC retains and processes personal data in accordance with Armenian law and its internal

policies, including statutory retention obligations applicable to licensed investment companies and

AML/CFT recordkeeping. Retention periods may exceed the duration of the Client’s active relationship

where required by law, audits, disputes, or supervisory directives.

Velar is not responsible for Sirius Capital CJSC’s retention practices within Regulated Services.

Velar will apply a documented retention schedule for major data categories (e.g., account/registration

data, support communications, logs), and will securely delete or anonymize personal data when retention

is no longer necessary, unless retention is legal ly required.

7. Client Rights

Clients have the rights provided under the RA Law “On Personal Data Protection”, including the right to

request access to, rectification of, and (where legally applicable) deletion/destruction of their personal

data, as well as other rights available under Armenian law.

The Client may withdraw consent to Processing by Velar and/or request deletion/destruction of personal

data processed by Velar by submitting a written request signed by hand or with a qualified electronic

signature. Velar will cease Processing and delete/d estroy relevant personal data within ten (10) business

days of receipt, unless retention is required by law. In such case, Velar may be unable to provide certain

Platform features.

These rights apply to personal data processed by Velar for Platform operation.

Personal data transferred to and processed by Sirius Capital CJSC for Regulated Services may be subject

to statutory retention and Processing requirements (including AML/CFT), and deletion/destruction may

be restricted until expiration of applicable retention periods. Requests relating to data processed by Sirius

Capital CJSC should be addressed directly to Sirius Capital CJSC pursuant to its privacy documentation.

The Client may opt out of non -essential marketing communications from Velar at any time via an

unsubscribe mechanism (where available) or by submitting a request.

Where third -party analytics are used (including third -country providers such as Yandex Metrica), the

Client may withdraw consent for such Processing by managing cookie/device settings; however, disabling

certain technologies may limit Platform functionalit y.

Clients have the right to lodge a complaint with the competent authority responsible for personal data

protection in the Republic of Armenia, as well as to seek judicial protection of their rights, in accordance

with applicable law.

Velar may request reasonable verification of identity before responding to a request, to protect Clients

and prevent unauthorized disclosure.

8. Cookies and Similar Technologies

8.1. Cookies on Client Devices

Velar may store certain data on Client devices (cookies and similar technologies) to analyze Platform use,

enhance functionality, improve user experience, and tailor content.

Velar may also use similar technologies (including SDKs in mobile applications) for Platform performance

and analytics. Cookies/technologies are not used to access a Client’s device beyond Platform interaction.

Velar controls the implementation and management of cookies within the Platform.

To the extent cookie -derived information is transferred to Sirius Capital CJSC for Regulated Services (e.g.,

security/fraud prevention), Sirius Capital CJSC processes it independently.

Where the Platform is accessed via a mobile application, Velar may use mobile identifiers and app analytics

SDKs which function similarly to cookies.

8.2. Necessary vs. Optional Cookies; Client Controls

Strictly necessary cookies enable navigation, authentication, session management, and security, and are

essential for Platform operation.

Velar may also use:

• Session cookies (deleted when the session ends);

• Persistent cookies (retained for a defined period);

• Analytical cookies (to measure and improve Platform performance).

Clients can refuse or delete cookies and adjust browser/device settings. Disabling cookies may limit

Platform functionality.

Where required by applicable law, Velar will obtain cookie/analytics consent through an in -app or website

consent mechanism and will provide granular controls for non -essential cookies/technologies.

8.3. Yandex Metrica

Velar uses Yandex Metrica to analyze user interaction with the Platform. Yandex Metrica may collect user

behavior, clicks, session duration, IP address, device data, and browser information for analytics and

optimization purposes.

By accepting this Notice and continuing to use the Platform, the Client consents (where consent is the

applicable basis) to collection and cross -border transfer of data through Yandex Metrica for analytics, in

accordance with Yandex’s privacy policy:

https://metrica.yandex.com/about/info/privacy -policy

Velar controls Yandex Metrica configuration. Sirius Capital CJSC does not determine Processing through

Yandex Metrica within the Platform.

Velar may replace or supplement analytics providers from time to time; any material change will be

reflected in updated versions of this Notice and, where required, through updated consent mechanisms.

8.4. Flash Cookies

If Flash cookies are used, Clients may modify settings via the Flash player settings manager. Blocking

cookies may impair Platform functionality.

9. Communications; Opt -Out

The Client may opt out of Velar’s non -essential marketing communications at any time by using

unsubscribe tools in the relevant message (if available) or by sending a request via Velar’s support

channels.

Velar will continue to send strictly necessary service/administrative messages (e.g., security alerts,

account-related notices, technical updates) where such messages are required for Platform operation or

security, regardless of marketing opt -out.

10. Allocation of Responsibility for Content and Information

The Platform is managed and administered by Velar. Sirius Capital CJSC bears responsibility exclusively

for Regulated Services it provides under its agreements and Armenian law.

Sirius Capital CJSC is not responsible for informational/marketing materials displayed within the Platform

by Velar, including summaries, projections, commentary, or other content, or decisions made by the Client

based on such content unless expressly inco rporated into Sirius Capital CJSC contractual documentation.

Unless expressly stated otherwise in writing by Sirius Capital CJSC, no content within the Platform

constitutes investment advice, recommendation, solicitation, offer, guarantee, or representation by Sirius

Capital CJSC. Velar is not authorized to make bin ding commitments on behalf of Sirius Capital CJSC absent

written authorization.

11. Contact Details

11.1Contacting Velar (Platform Privacy Requests)

Clients may contact Velar regarding this Notice, Platform data Processing, marketing opt -out, and data

subject requests relating to Processing by Velar via: [ADD: Velar’s email / postal address / phone / in -app

support channel].

11.2 Contacting Sirius Capital CJSC (Regulated Services Privacy Requests)

Requests relating to Processing by Sirius Capital CJSC for Regulated Services should be submitted directly

to Sirius Capital CJSC via: [ADD: Sirius privacy email / address / phone], in accordance with Sirius Capital

CJSC’s privacy documentation.

12. Children / Minors

The Platform and Regulated Services are not intended for persons who lack legal capacity to enter into

contracts under Armenian law. Velar does not knowingly collect personal data from minors without

appropriate legal basis and, where required, valid conse nt of a parent/legal representative. If Velar

becomes aware that personal data has been collected from a minor in breach of applicable law, Velar will

take reasonable steps to delete such data.

13. Automated Decision -Making

Velar does not make decisions producing legal effects concerning the Client solely on the basis of

automated Processing. Where Sirius Capital CJSC uses automated tools for fraud prevention, risk scoring,

AML/CFT monitoring, or security, such Processing is governed by Sirius Capital CJSC’s policies and

applicable law.

14. Validity and Amendments

14.1. Entire Notice

This Notice constitutes Velar’s complete privacy notice for operation of the Platform and supersedes prior

versions issued by Velar to the extent they relate to the Platform.

This Notice and amendments enter into force upon publication on the Platform and apply to personal data

processed by Velar in connection with Platform operation. Consent given upon acceptance remains valid

for the duration of the Client’s interaction with the Platform and until the purposes of Processing by Velar

are fulfilled, subject to applicable law.

Nothing in this Notice replaces or supersedes any agreement, disclosure, or privacy documentation issued

by Sirius Capital CJSC in connection with Regulated Services.

14.2. Changes

Velar may unilaterally amend this Notice from time to time by publishing the updated version on the

Platform. Continued use of the Platform after publication constitutes acceptance of the revised Notice with

respect to Processing performed by Velar.

Clients should periodically review the privacy section of the Platform to stay informed of updates.

Where changes materially affect Clients’ rights or the nature of Processing (especially regarding cross -

border transfers or analytics), Velar will take reasonable steps to provide additional notice in -app or by

other appropriate means, and obtain renewed c onsent where required by law.