SKY CAPITAL & FINANCIAL ALLIED INTERNATIONAL LIMITED

INTRODUCTION

Sky Capital & Financial Allied International Limited is committed to protecting the privacy and personal data of clients, business partners, employees and users of our digital platforms. This Data Protection Notice explains how personal data is collected, used, stored and shared by companies operating under the “Sky Capital & Financial Allied International Limited brand” when individuals interact with our services, websites or representatives. This notice also outlines the rights available to individuals in relation to their personal data and the safeguards implemented to ensure that such data is processed responsibly. This notice is issued in compliance with the requirements of the Nigeria Data Protection Act and the Nigeria Data Protection Regulation.

WHO WE ARE

For the purpose of this Privacy Policy, “Sky Capital & Financial Allied International Limited”, “we”, “our” or “us” refers to “Sky Capital & Financial Allied International Limited” and other affiliated companies operating under the Sky Capital & Financial Allied International Limited brand that provide financial services. These affiliated companies include: • Sky Capital & Financial Allied International Limited • Sky Capital Asset Management Limited • Sky Finance Company Limited Although these companies may operate under the Sky Capital & Financial Allied International Limited brand and may share certain administrative or operational services, they are “separate legal entities” that may process personal data in connection with the specific services they Provide.

DATA CONTROLLER

As a Data Controller under the Nigeria Data Protection Act (NDP Act) 2023, we are committed to safeguarding the confidentiality, integrity, and security of all personal data entrusted to us. By using our services, you entrust us with your information. We understand the responsibility this carries and are dedicated to processing your data in compliance with the NDP Act 2023, GAID 2025, and other applicable regulations.

For the purposes of applicable data protection laws, the entity that determines the purposes and means of processing personal data in relation to a specific service will act as the “Data Controller”.

In many cases, this will be “Sky Capital & Financial Allied International Limited”, which provides certain administrative and operational functions across companies operating under the Sky Capital & Financial Allied International Limited brand.

However, where services are provided by a specific regulated entity, that entity may act as an “independent or joint Data Controller” in respect of personal data processed in connection with those services.

These entities may include:

• Sky Capital Asset Management Limited – providing investment and asset management services
• Sky Finance Company Limited – providing finance house services
• Sky Capital & Financial Allied International Limited – providing money lending services

Each entity processes personal data in accordance with applicable laws and regulatory obligations.

PERSONAL INFORMATION WE COLLECT

What personal information Sky Capital & Financial Allied International Limited collects and where we get it from.

‘Personal information’ is any information that can be used to identify you or that we can link to you and which we have in our possession or control.

We will collect and process the following personal information about you:

• Personal details such as your full name, title, occupation, nationality, country of residence, contact details, home/work address, email addresses and telephone numbers;
• Information required by Sky Capital & Financial Allied International Limited to meet legal and regulatory requirements in respect of anti-money laundering legislation, including personal details such as gender, date of birth, passport number(s), other government issued number(s), nationality, images of passports and driving license, signatures, occupation, source of funds and source of wealth, criminal records and political or family associations;
• Information required by Sky Capital & Financial Allied International Limited to meet legal and regulatory requirements relating to the exchange of tax information, including details of tax classification and tax identification numbers;
• Financial information, including billing address, bank account numbers, instruction records, transaction details, counterparty details, and specimen signatures;
• Details of meetings and telephone calls with our offices and employees;
• Information about entities with which you are connected, including your employer, your advisers, banking and other service providers and entities in which you have an interest; and
• Any other information you may provide to us in the course of corresponding with us or might be provided to us by our clients, third parties etc.

Special category data:

We may collect this where we are required to do so for the purposes of our legal and/or regulatory obligations including but not limited to those in relation to anti-money laundering and combatting the financing of terrorism. This may include information revealing racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, and similar sensitive data as defined under applicable law.

HOW WE COLLECT PERSONAL DATA

HOW WE COLLECT PERSONAL DATA We collect this information in a variety of ways but mainly directly from you when you contact us or request information from us where we are providing services to you or we receive services from you including: o When you register for our events, subscribe to our newsletters or mailing lists; o Information set out in any agreements entered with us; o As part of the client due diligence process and through onboarding documentation; o From subscription, redemption and transfer documentation, questionnaires and other forms and agreements in relation to ongoing services; and o Personal data provided by you by way of correspondence with us by telephone, email or otherwise. We also collect information from third parties or publicly available sources. These third parties and publicly available sources include lawyers, accountants and professional advisors, other financial institutions that process your personal data to satisfy their own regulatory requirements, credit reference agencies and financial crime databases in order to comply with our regulatory requirements as well as from other Sky Capital & Financial Allied International Limited affiliated companies. Website and cookies We may collect your personal information through your use of our website via cookies. These cookies help us to provide you with an optimized experience, understand how you use the website, provide personalized features and content, and to deliver advertisements. We also use cookies to ensure that our website is functioning correctly. For further information about cookies, please see our cookie notice here.

HOW WE USE PERSONAL DATA

We collect and use your personal information to: • Provide and perform our obligations with respect to the services or otherwise in connection with fulfilling instructions; • Validate authorized signatories for processing agreements and transactions; • Contact nominated individuals in connection with transactions and contractual agreements. • Respond to enquiries and fulfill requests from you/our clients, service providers and/or relevant third parties who may require information for providing services and to administer account(s) and manage our relationships; • Verify an individual’s identity and/or location (or the identity or location of our client’s or service provider’s representative or agent) in order to allow access to relevant client accounts or conduct online transactions; • Protect the security of accounts and personal data; • Risk management/audit, compliance with our legal and regulatory obligations and for fraud detection, prevention and investigation, including “know your customer”, anti-money laundering, conflict and other necessary onboarding and ongoing client checks, due diligence and verification requirements, credit checks, credit risk analysis, compliance with sanctions procedures or rules, and tax reporting; • Comply with applicable law including treaties or agreements with or between foreign or domestic governments (including in relation to tax reporting laws), (which may include laws outside the country you are located in), to respond to requests from public and government authorities (which may include authorities outside the country you are located in), to cooperate with law enforcement, governmental, regulatory, securities exchange or other similar agencies. • The processing is in Sky Capital & Financial Allied International Limited’s legitimate interests • For marketing and promotion of complementary services • Monitor and record communications, including emails, for investigation and fraud prevention purposes, crime detection, prevention and investigation; and • For client research and management, and to improve the quality of services

LEGAL BASIS FOR PROCESSING

• Consent
• Contract performance
• Legal obligation
• Legitimate interest
• Public interest
• Vital interest

USE OF ARTIFICIAL INTELLIGENCE AND AUTOMATED DECISION-MAKING

We may use artificial intelligence (“AI”), machine learning systems, and other automated technologies as part of our operations... (content unchanged)

DISCLOSURE AND SHARING OF DATA

Personal Data may be disclosed to third parties in connection with the services we are providing...

DATA SUBJECT RIGHTS

• Right to access
• Right to rectification
• Right to erasure
• Right to restrict processing
• Right to data portability
• Right to object
• Right to withdraw consent
• Right to complain to NDPC

RETENTION OF YOUR DATA

We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying legal, regulatory, accounting, and reporting obligations.

In determining appropriate retention periods, we consider the nature, sensitivity, and volume of personal data, the potential risk of harm from unauthorized use or disclosure, the purposes of processing, and applicable legal and regulatory requirements.

Retention Schedule

• Know Your Customer (KYC) and Customer Due Diligence Records
  Retained for a minimum of five (5) years after the end of the customer relationship, in accordance with applicable anti-money laundering and regulatory requirements.
• Transaction and Financial Records
  Retained for a minimum of five (5) years, as required for financial reporting, audit, and regulatory compliance purposes.
• Customer Account and Service Data
  Retained for the duration of the customer relationship and for a defined period thereafter to address legal, regulatory, and operational requirements.
• Data Marketing and Communications
  Retained until the individual withdraws consent or opts out, after which it may be retained on a suppression list to ensure compliance with opt-out requests.
• CCTV and Security Footage
  Retained for a limited period, typically 30 to 90 days, unless required for investigation, legal proceedings, or regulatory purposes.
• Employee and Contractor Data (where applicable)
  Retained for the duration of engagement and for a statutory period thereafter in line with employment and tax laws.

Exceptions

In certain circumstances, Sky Capital may retain personal data for longer periods where required:

• To comply with legal or regulatory obligations
• In connection with actual or anticipated litigation
• For the establishment, exercise, or defense of legal claims
• Where required by regulators or supervisory authorities

Data Disposal

When personal data is no longer required, it is securely deleted, anonymized, or destroyed in accordance with our internal data protection and information security policies.

DATA SECURITY

We implement appropriate technical and organizational measures to safeguard personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

Access to personal data is restricted to employees, agents, contractors, and third parties who have a legitimate business need to know. Such persons are subject to strict confidentiality obligations and are required to process personal data only in accordance with our instructions and applicable data protection laws.

We maintain internal policies and procedures designed to ensure the ongoing confidentiality, integrity, and availability of personal data, including access controls, data security protocols, and regular monitoring of our systems.

Data Breach Management and Notification

We have established procedures to detect, investigate, and respond to suspected or actual personal data breaches.

Where a personal data breach is likely to result in a risk to the rights and freedoms of individuals:

• The breach will be reported to the Nigeria Data Protection Commission within 72 hours of becoming aware of the breach, where feasible, in accordance with applicable law
• Affected individuals will be notified without undue delay where the breach is likely to result in a high risk to their rights and freedoms

We will also take appropriate steps to mitigate the effects of any breach and to prevent a recurrence.

CROSS BORDER TRANSFERS

In certain circumstances personal data may be transferred to service providers, affiliates, or partners located outside Nigeria. Where personal data is transferred outside Nigeria, including within entities associated with Sky Capital & Financial Allied International Limited or to third parties in other jurisdictions, such transfers will only take place where appropriate safeguards are in place to ensure an adequate level of protection in accordance with applicable data protection laws.

Safeguards for International Transfers

Where required, we will implement one or more of the following safeguards:

• Standard Contractual Clauses (SCC) or equivalent contractual data protection provisions
• Adequacy decisions recognizing that a jurisdiction provides an adequate level of data protection
• Binding Corporate Rules (BCR) or other approved intra-group transfer mechanisms (where applicable)
• Legally enforceable agreements ensuring that personal data is processed only for specified purposes and protected against unauthorized use or disclosure

All recipients of personal data are required to implement appropriate technical and organizational security measures and are restricted from using the data for their own purposes or disclosing it further without authorization.

YOUR RIGHTS AS A DATA SUBJECT

You have a number of legal rights in relation to the personal information that Sky Capital & Financial Allied International Limited holds about you, and you can exercise your rights by contacting us using the details set out below.

Depending on applicable law, these rights may include:

• Right to access — request information regarding processing and access to your personal data
• Right to rectification — request correction of inaccurate or incomplete data
• Right to erasure — request deletion of your personal data in certain circumstances
• Right to restrict processing — request limitation of processing under certain conditions
• Right to withdraw consent — withdraw consent where processing is based solely on consent
• Right to object — object to processing under certain conditions
• Right to data portability — request transfer of your data to another organization
• Right to non-discrimination — not be penalized for exercising your rights
• Right to be informed — receive clear information about data usage
• Right to complain — lodge a complaint with the Nigeria Data Protection Commission (NDPC)

How to Exercise Your Rights

You may exercise your rights by submitting a request to Sky Capital via email to the Data Protection Officer at: dpo@skycapitallimited.com

Your request should include sufficient information to enable us to identify you and understand the nature of your request.

Identity Verification

To protect your personal data, we may require you to verify your identity before processing your request.

Response Timeline

Sky Capital will respond to all valid requests within 10 working days of receipt, subject to verification and complexity.

Limitations and Refusals

We may refuse or limit requests where:

• The request is manifestly unfounded or excessive
• Compliance would affect the rights and freedoms of others
• The data is required for legal or regulatory purposes
• The data is subject to ongoing investigations or proceedings
• We are legally required or permitted to retain the data

Where a request is refused, we will provide reasons and inform you of your right to complain to the NDPC.

RECORDING OF COMMUNICATIONS

When individuals communicate with Sky Capital & Financial Allied International Limited by way of telephone conversations and electronic communications, including emails, text messages and instant messages, these may be recorded and/or monitored for evidentiary, compliance, quality assurance and governance purposes or as required by applicable law.

DATA PRIVACY IMPACT ASSESSMENT (DPIA)

The Company shall conduct a DPIA whenever processing is likely to result in high risk to the rights and freedoms of data subjects, particularly in circumstances listed under Article 28(3) of the GAID 2025, including:

• Profiling, scoring, or automated decision-making
• Systematic monitoring
• Processing of sensitive data
• Processing involving vulnerable data subjects
• Deployment of new technologies
• Surveillance using CCTV
• Financial services using digital platforms
• Cross-border data transfer

All DPIAs shall comply with the requirements of the GAID 2025 and be vetted by a certified DPO accredited by the Commission.

EMAIL MARKETING AND SUBSCRIPTION

You can stop the delivery of marketing emails from Sky Capital & Financial Allied International Limited at any time by unsubscribing or opting out via the link included in every email. Alternatively, you can make a direct request to unsubscribe by emailing info@skycapitallimited.com

HOW TO CONTACT US

If you have any concerns or questions about this privacy notice or would like to exercise your rights as a data subject, you can contact our Data Protection Officer:

Email: dpo@skycapitallimited.com

UPDATES

We will update this privacy notice when necessary to reflect changes in the law, our practices and in our services, as well as to ensure it is accurate and up to date. When we make an update we will amend the date at the top of this notice, you are therefore advised to check this privacy notice periodically. We may also notify you in other ways from time to time about the processing of your personal information.

DEFINITIONS

For the purposes of this Privacy Policy, the following terms shall have the meanings set out below:

“Personal Data”
Any information relating to an identified or identifiable natural person (“Data Subject”), including but not limited to a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual.

“Sensitive Personal Data”
Personal Data relating to an individual’s race or ethnic origin, religious or similar beliefs, health status, sex life, political opinions, trade union membership, criminal records, or any other information classified as sensitive under applicable law.

“Processing”
Any operation or set of operations performed on Personal Data, whether by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, restriction, erasure, or destruction.

“Data Subject”
Any identified or identifiable natural person whose Personal Data is processed.

“Data Controller”
The entity that determines the purposes and means of the processing of Personal Data. For the purposes of this Privacy Policy, Sky Capital & Financial Allied International Limited acts as the Data Controller.

“Data Processor”
Any natural or legal person or entity which processes Personal Data on behalf of the Data Controller.

“Third Party”
Any natural or legal person, public authority, agency, or body other than the Data Subject, Data Controller, Data Processor, or persons authorized to process Personal Data under the direct authority of the Data Controller or Processor.

“Affiliate”
Any entity that is related to Sky Capital & Financial Allied International Limited through common ownership, management, or control, including entities that operate under the Sky Capital brand.

“Consent”
Any freely given, specific, informed, and unambiguous indication of a Data Subject’s wishes by which they signify agreement to the processing of their Personal Data.

“Legitimate Interest”
A lawful basis for processing Personal Data where such processing is necessary for the legitimate business interests of the Data Controller or a third party, provided such interests are not overridden by the rights and freedoms of the Data Subject.

“Personal Data Breach”
A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

“Profiling”
Any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a Data Subject, including analysis or prediction of performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

“Cross-Border Transfer”
The transfer of Personal Data from Nigeria to a foreign country or international organization.

“Supervisory Authority”
The regulatory authority responsible for overseeing compliance with data protection laws. In Nigeria, this refers to the Nigeria Data Protection Commission.

CONTACT

Email: dpo@skycapitallimited.com

Phone: +2347025002871

Address: 10 Anifowose Street, Victoria Island, Lagos