This policy explains how BC Victoriabank SA (“we,” “us,” or “our”) collects, uses, protects, and shares your personal data when you use our VB24 mobile app and/or other our products and services. We are committed to transparency and compliance with applicable data protection laws.

The Bank informs you that it is registered with the National Centre for Personal Data Protection as a personal data controller under number 0000092.

B.C. Victoriabank S.A. informs you that, when providing financial-banking services, your personal data are collected, processed, stored and kept in accordance with Law no. 133 of 08.07.2011 on the protection of personal data.

Personal data is any information that identifies you or can be linked to you. We do not collect anonymous data that cannot be tied to an individual. We collect data in the following ways:

Data You Provide

You share data when you sign up, use our services, or participate in promotions. This includes:

• Contact Information: When you register or use certain features, we may collect your name, email address, phone number, and mailing address.
• Financial Information: We collect information necessary for banking services, such as account numbers, transaction history, and payment details.
• Identity Verification: We may collect government-issued identification or other verification documents to comply with legal requirements.

If you fail to provide required data, we may not be able to offer our services. You can update your details in your account settings.

Data We Collect Automatically

When you use our services, we collect:

• Transaction data: details of payments, including recipient information and transaction location.
• Device data: IP address, browser type, operating system, device identifiers (e.g., IMEI), VPN or Proxy usage.
• App or website activity: viewed products, page interactions, apps with remote access permissions.
• Behavioral biometrics: patterns like typing speed or mouse movements to detect fraud.
• Device-stored data: contacts from your phone book if you grant access.
• GPS Data: With your consent, we collect precise location data from your device’s GPS to enhance security through location-based features, such as fraud detection.

Third-Party Vendors:

For enhanced mobile security, the app VB24 uses Malwarelytics for Android and iOS, a security SDK that helps detect potentially harmful apps on the device. Malwarelytics is provided by Wultra s.r.o., which acts as a data processor under applicable European Union’s data protection regulations. Information about installed apps and device configuration may be processed solely for security purposes.

 This SDK collects the following data to enhance security:

• Scanning Installed Applications: Malwarelytics analyzes all applications installed on the device to detect malware. It uses the QUERY_ALL_PACKAGES permission to access the list of installed applications.
• Threat Detection: Identifies malicious applications, including those that exploit Accessibility API to collect data or mimic banking apps. Detects apps installed from untrusted sources.
• Smart Protection: Automatically detects and responds to threats by notifying the user about potential risks.
• Detection of Application Changes: Monitors the installation, removal, or update of applications on the device. Identifies the source of app installation (e.g., Google Play, third-party stores).
• Detection of Rooted Devices and Emulators: Detects devices with root access or running on emulators, which may indicate increased security risks.
• Detection of Debugging and Repackaging: Identifies whether the app is being debugged or modified (repackaged), indicating possible tampering attempts.
• Device Information Collection: Gathers data about the device model, screen lock status, availability of biometric authentication, and other security-related parameters.
• Colectarea informațiilor despre dispozitiv: Colectează date despre modelul dispozitivului, starea blocării ecranului, disponibilitatea autentificării biometrice și alți parametri legați de securitate.

Data Processing by Third-Party Processor

• Data collected by Malwarelytics is processed by Wultra exclusively for security purposes. Wultra does not share the data with third parties or use it for other purposes.

We process your data only when legally permitted, based on:

• Contract necessity: to provide services like transfers or account management.
• Legal obligations: to comply with laws, such as anti-money laundering regulations.
• Legitimate interests: to improve services, prevent fraud, or analyze usage.
• Consent: : when you explicitly agree to data processing.

• Identity verification: KYC including biometric checks (with consent).
• Service delivery: to process transfers, manage accounts, offer products (e.g., Assets), and provide customer support.
• Security: to prevent fraud, unauthorized transactions, and ensure platform safety.
• Legal compliance: to meet regulatory requirements, respond to authorities, and protect Victoriabank’s rights.
• Marketing and analytics: to personalize ads, measure campaign effectiveness, and inform you about relevant products.
• Service improvement: to analyze data, develop products and to enhance app’s efficiency.

We may share your data with service providers and partners:

• Banks and financial institutions for payment processing.
• Destinatarilor plăților: Date limitate pentru finalizarea tranzacțiilor.
• Reglementatorilor și organelor de aplicare a legii: Pentru respectarea obligațiilor legale sau protejarea drepturilor.
• Terților: Pentru recuperarea fondurilor trimise din greșeală sau ca urmare a fraudelor.

We keep your data only as long as needed for its intended purpose. As a regulated financial institution, we must retain some data (e.g., transaction records) for 5 years after account closure, depending on applicable laws. Unneeded data is automatically deleted.

We protect your data through:

• Encryption during transmission and storage.
• Regular server updates and patches.
• Restricted access for employees and partners.

You have the right to:

• Access a copy of your data.
• Correct inaccurate data.
• Delete data (where not restricted by law).
• Withdraw consent for processing.
• Object to processing based on legitimate interests.
• Suspend processing in certain cases.

Victoriabank may revise this Privacy Policy from time to time, but will not create less favorable conditions for the users of the application in terms of processing and protection of personal data. Any changes to this Privacy Policy shall be posted on our website.

If you have any questions or concerns about this Privacy Policy or how Victoriabank collects and processes your personal data, please contact us at one of the Bank's territorial units or by email at dcp@vb.md.