Privacy Policy

This Privacy Policy describes how Sorbet Holdings Limited (“Sorbet,” “we,” “us,” or “our”) collects, uses, shares, and protects personal information in connection with our websites, products, applications, and APIs (collectively, the “Services”). This Privacy Policy applies when you:

• Access app.mysorbet.io, mysorbet.io, or any other website or page that links to this Privacy Policy

• Register for, access, or use the Services as an individual or business user

• Communicate with us, including for customer support, surveys, marketing communications (where permitted), events, or partnerships

Service model. Sorbet provides a technology platform and orchestration layer. Sorbet is not a bank and does not custody customer fiat funds or digital assets. Where the Services involve regulated activities (including identity verification, compliance screening, virtual account issuance, or payment processing), those activities are performed through third-party regulated partners and verification providers and may be subject to their own terms and privacy policies.

On-chain transparency. Certain information (such as wallet addresses and transaction data) may be recorded on public blockchains and may be publicly accessible. Sorbet does not control public blockchains and cannot delete or modify on-chain data.

If you have questions or concerns, please contact us at [email protected]. You may also contact [email protected]. If you do not agree with this Privacy Policy, do not use the Services.

Summary of Key Points

This summary highlights key points from this Privacy Policy. You can read more details by reviewing the sections below.

• What personal information do we process? We collect information you provide directly, information required for identity verification and compliance (KYC/KYB), information from third parties involved in delivering the Services (such as verification, screening, fraud prevention, and regulated partners), and device/usage data.

• Do we process sensitive personal information? We and/or our regulated partners and verification providers may process certain information that may be considered sensitive in some jurisdictions (such as government ID information and verification data) only for compliance, security, fraud prevention, and providing the Services.

• Do we collect information from third parties? Yes. We may receive verification outcomes, risk signals, screening results, eligibility outcomes, and payment/account status updates from third parties involved in delivering the Services.

• How do we share information? We share information with service providers, verification and screening providers, and regulated partners as needed to operate the Services and comply with law.

• What are your rights? Depending on where you live, you may have rights to access, correct, delete, or object to certain processing of your personal information.

1) Who We Are

Sorbet provides a technology platform that helps users access financial features, including onboarding, identity verification, and payment-related functionality, through third-party regulated infrastructure providers (together, “Regulated Partners”) and identity verification vendors (together, “Verification Providers”).

Depending on the specific feature and relationship, Sorbet may process personal information:

• As a data controller (when we determine how and why personal information is processed for our own purposes, such as operating, improving, and securing our platform); and/or

• As a service provider/processor (when we process personal information on behalf of Regulated Partners or Verification Providers to enable regulated services).

Regulated Partners and Verification Providers may process your information as independent controllers under their own privacy policies and regulatory obligations and may make final determinations on eligibility for certain services.

2) Personal Information We Collect

We collect personal information in the following ways:

A. Information you provide directly

This may include:

• Account and profile information: name, email address, phone number, nationality, authentication details (such as login tokens), and other onboarding information you submit.

• Customer support communications: messages, emails, chat communications, and related metadata. Call recordings may be collected where enabled/available and permitted by law.

• Transaction-related information: information you provide to initiate, receive, or manage payments or related features (for example, beneficiary details, bank account details, payout instructions), where applicable.

B. Identity verification and compliance information (KYC/KYB)

To comply with legal requirements and the requirements of Regulated Partners and Verification Providers, we and/or those third parties may collect and process:

• Government-issued photo identification (e.g., passport, national ID, driving licence)

• Proof of address (e.g., utility bill, bank statement, government correspondence)

• Selfie/liveness verification images (where required)

• Business verification information (KYB): company registration documents, ownership/control information, beneficial owner information, and authorized signatory details

• Source of funds/source of wealth information (where required)

• Any additional documents or information reasonably required to verify identity, assess eligibility, manage risk, prevent fraud, and comply with applicable legal and regulatory obligations

C. Information we receive from third parties

We may receive information from third parties involved in delivering, securing, or enabling the Services, including:

• Identity verification and fraud prevention providers (e.g., verification outcomes, risk signals)

• Sanctions/PEP/adverse media screening providers (e.g., match results or alerts)

• Regulated Partners supporting payment and financial features (e.g., eligibility outcomes, account status updates, payment status and settlement confirmations)

• Social login providers if you choose to sign in using a third-party account

• Public sources where permitted by law (e.g., corporate registries)

D. Automatically collected information (device and usage)

When you use the Services, we may automatically collect:

• Device information (device type, operating system, browser type, language settings)

• Log and usage data (IP address, timestamps, pages/screens viewed, actions taken, error logs)

• Approximate location derived from IP address

• Cookies and similar technologies (see Section 10)

3) How We Use Personal Information

We use personal information to:

• Provide and operate the Services (create accounts, authenticate users, provide requested functionality)

• Verify identity and meet compliance requirements (KYC/KYB, eligibility checks, sanctions/PEP screening, fraud prevention)

• Enable payments and financial features through Regulated Partners (including sharing required information and transmitting instructions to process transactions)

• Improve and secure the Services (debugging, analytics, performance monitoring, preventing abuse, maintaining platform integrity)

• Communicate with you (service notices, security alerts, onboarding messages, support responses)

• Comply with legal obligations (recordkeeping, responding to lawful requests, audits, dispute resolution)

• Enforce our terms and protect rights (investigate violations, prevent fraud, protect Sorbet, our users, and the public)

4) Legal Bases for Processing (where applicable)

Depending on your jurisdiction, we rely on one or more of the following legal bases to process personal information:

• Performance of a contract: to provide the Services you request and operate your account

• Legal obligations: to comply with KYC/KYB, AML, sanctions, recordkeeping, and related regulatory requirements

• Legitimate interests: to secure our Services, prevent fraud, improve products, and maintain operational integrity (balanced against your rights)

• Consent: where required, such as certain marketing communications or specific optional data collection (you can withdraw consent at any time)

5) How We Share Personal Information

We may share personal information with the following categories of recipients:

A. Service providers (processors)

Vendors that help us operate and secure our business (for example, cloud hosting, customer support tools, analytics, security, and infrastructure monitoring). These providers process personal information under contractual obligations and only for our instructions and purposes.

B. Identity verification, screening, and fraud prevention providers

We use third-party providers to support document collection, identity verification, fraud detection, and screening against sanctions/PEP/adverse media sources, as required for the Services.

C. Regulated Partners supporting financial features (independent controllers)

To provide payment and financial features, we may share required information (including identity verification outcomes and supporting documentation where necessary) with Regulated Partners. These parties may process your information as independent controllers under their own privacy policies and regulatory obligations and may make final determinations on eligibility and account availability.

D. Legal, compliance, and safety disclosures

We may disclose information if we believe in good faith that disclosure is necessary to:

• comply with law, regulation, legal process, or governmental request;

• enforce our agreements and policies;

• protect the rights, property, or safety of Sorbet, our users, or others.

E. Business transfers

If we are involved in a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred as part of that transaction, subject to appropriate confidentiality and security protections.

We do not sell your personal information in the traditional sense.

6) International Data Transfers

Your personal information may be processed in countries other than your country of residence (for example, where our service providers, Verification Providers, or Regulated Partners operate). Where required by law, we use appropriate safeguards for cross-border transfers (such as contractual protections and data processing agreements) and apply industry-standard security measures, including encryption in transit and at rest.

7) Data Retention

We keep personal information only as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Fintech compliance note: identity verification and compliance records (including KYC/KYB documents and screening results) may be retained for as long as your account is active and for a period after account closure as required by applicable law and the requirements of our Regulated Partners and Verification Providers (commonly 5–10 years, depending on jurisdiction and product).

When information is no longer needed, we take steps to securely delete, anonymize, or de-identify it, unless we are required to keep it for legal, regulatory, or legitimate business purposes.

8) Security

We use administrative, technical, and physical safeguards designed to protect personal information, such as access controls, encryption, logging, and security monitoring. However, no method of transmission over the internet or method of electronic storage is completely secure, and we cannot guarantee absolute security.

9) Your Privacy Rights and Choices

Depending on where you live, you may have rights regarding your personal information, which may include:

• Access: request a copy of the personal information we hold about you

• Correction: request correction of inaccurate or incomplete information

• Deletion: request deletion of certain information (subject to legal/compliance retention requirements)

• Restriction/Objection: object to, or request restriction of, certain processing

• Portability: request a portable copy of certain information

• Withdraw consent: where processing is based on consent (you may withdraw consent at any time)

To exercise your rights, contact us at [email protected]. We may need to verify your identity before fulfilling requests, and certain requests may be limited where we must retain information to comply with legal or regulatory obligations or to protect the security and integrity of the Services.

10) Cookies and Similar Technologies

We use cookies and similar technologies to:

• keep you signed in and maintain session security;

• remember preferences;

• understand usage and improve performance.

You can control cookies through your browser settings. Some features may not function properly if cookies are disabled.

Where required by law, we provide a cookie consent mechanism and allow you to manage non-essential cookies through cookie preferences.

11) Social Logins

If you choose to register or log in using a third-party account (such as Google or Apple), we may receive certain information from that provider, such as your name, email address, and basic profile information, depending on the provider and your settings. We use this information only to provide authentication and account access.

We do not control and are not responsible for the privacy practices of third-party login providers. We encourage you to review their privacy policies to understand how they collect, use, and share your personal information.

12) Additional Disclosures for United States Residents

If you are a resident of certain U.S. states, you may have additional rights regarding your personal information. These rights may include the right to request access to, correct, delete, or obtain a copy of certain personal information, and to opt out of certain types of processing (such as targeted advertising), where applicable.

We do not sell personal information in the traditional sense. If we engage in activities that may be considered “selling” or “sharing” under certain U.S. state privacy laws (for example, certain forms of targeted advertising), we will provide applicable opt-out rights as required by law.

To exercise your U.S. privacy rights, contact us at [email protected]. We may need to verify your identity before fulfilling your request.

13) Do-Not-Track Signals

Some browsers provide a “Do-Not-Track” (“DNT”) setting. There is no consistent industry standard for responding to DNT signals, and our Services do not currently respond to DNT browser signals. If a standard is adopted that we must follow, we will update this Privacy Policy accordingly.

14) Children’s Privacy

Our Services are not intended for children, and we do not knowingly collect personal information from children. If you believe a child has provided personal information, contact us at [email protected] and we will take steps to delete it where required.

15) Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If changes are material, we will provide notice as required by law (for example, by posting an update or notifying you through the Services). The “Last Updated” date reflects the most recent revision.

16) How Can You Review, Update, or Delete the Data We Collect From You?

Based on the applicable laws of your country (and, if you are located in the United States, your state of residence), you may have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information. These rights may be limited in some circumstances by applicable law.

To request to review, update, or delete your personal information, please contact us at [email protected] or submit a data subject access request.

17) Contact Us

If you have questions or requests regarding privacy, contact:

Sorbet Holdings Limited Email: [email protected] Alternate contacts: [email protected], [email protected]

Address: Al Maryah Street, DD-15-134-004 – 007, Level 15 WeWork Hub71 __________, أبو ظبي — Abu Dhabi AZ 00000 United Arab Emirates