SUPPORT REQUEST

PRIVACY NOTICE

CRC CF (Lux) S.à r.l. acting in respect and on behalf of its compartment “Nimbus”

  1. Introduction
    1. The present Privacy Notice describes how CRC CF (Lux) S.à r.l., a société à responsabilité limitée incorporated under the laws of the Grand Duchy of Luxembourg with its registered office at 8-10, avenue de la Gare, L-1610 Luxembourg, Grand Duchy of Luxembourg and registered with the Luxembourg Register of Trade and Companies (Registre de commerce et des sociétés, Luxembourg) under number B193317, acting in respect and on behalf of its compartment “Nimbus” (the “Company”, “we”, “our”) collects, uses and protects personal data in the context of the acquisition and management of the loan portfolio referred to as “Nimbus”.
    2. This Privacy Notice aims to ensure transparency regarding the processing of personal data in accordance with Regulation (EU) 2016/679 (GDPR) and applicable Luxembourg data protection legislation.
    3. Capitalised terms used herein have the meaning assigned to them in the Glossary at the end of this Notice.

  1. Purpose of this Privacy Notice
    1. This Privacy Notice explains:
      • what types of personal data we process,
      • how and why we process such data,
      • the legal bases for the processing,
      • the parties with whom data may be shared, and
      • the rights of data subjects.
    2. Our data processing practices may evolve over time. This Notice may be updated periodically to reflect changes to our operations or legal obligations.
    3. Pursuant to servicing agreement dated 19.11.2025 the Company has appointed QQuant Master Servicer Single Member SA, a Greek law 5072/2023 Servicer incorporated and registered under the laws of the Hellenic Republic, registered with the Greek General Commercial Registry (GEMI) under no. 143190101000, (hereinafter referred to as the “Servicer”) to service a portfolio of Greek loans owned by the Company.

  1. The Company as a Data Controller
    1. The Company acts as an independent data controller for personal data it receives or accesses in connection with:
      • the operation and administration of the Company;
      • the acquisition, holding and management oversight of the Greek loan portfolio;
      • information provided to the Company by QQuant (which in principle is limited and may be anonymised unless required otherwise under the transaction documents or applicable law).
    2. Categories of data subjects may include:
      • borrowers under the acquired loans and persons related to such loans (co-borrowers, guarantors, persons providing security, legal successors, etc.);
      • individuals whose information is included in loan documentation or enforcement processes;
      • directors, officers or contact persons of service providers engaged by the Company.
    3. We process personal data strictly for the purposes outlined below.

  1. Purposes of Processing and Legal Bases

Purpose of Processing Legal Basis → Art. 6 GDPR

Compliance with legal and regulatory obligations applicable to the Company (including anti-money-laundering, tax, prudential, reporting etc) → Art. 6(1)(c) legal obligation.

Monitoring, administering and enforcing the Company’s rights in relation to the acquired loan portfolio, and performing obligations under the relevant transaction documents → Art. 6(1)(b) performance of a contract; and/or Art. 6(1)(f) — legitimate interests of the Company.

Maintaining records, managing corporate operations, and interacting with service providers → Art. 6(1)(f) legitimate interests.

Protecting the Company’s rights, including the establishment, exercise or defence of legal claims → Art. 6(1)(f) legitimate interests.

Where processing is based on legitimate interests, those interests relate to, compliance with legal obligations, and safeguarding the Company’s contractual and economic rights.


  1. Data Processors and Other Controllers
    1. The Company engages various professional service providers (administrators, corporate services firms, legal advisors, auditors, IT and transaction counterparties).
      Where such parties process personal data on behalf of the Company, the relationship is governed by written agreements containing GDPR-compliant data protection terms.
      In this context, the Company may rely on processors to carry out processing activities on its behalf, including without limitation:
      • Centralis Group S.A. (registered address: 8-10 Avenue de la Gare, L-1610 Luxemburg, Luxembourg , contact details: CRC@centralisgroup.com ) and
      • Christofferson Robb & Company (UK) LLP (registered address: 11 Waterloo Place, London, SW1Y 4AU, contact details: crclegal@christoffersonrobb.com
        • Such processors perform their functions strictly in accordance with the Company’s instructions and Article 28 GDPR..
    2. The Servicer acts as an independent data controller for the processing of borrowers’ data when performing servicing activities. Borrowers should therefore consult Servicer’s own privacy notice for detailed information regarding data processed directly by the Servicer. Only limited information is shared with the Company, in accordance with the applicable agreements.

  1. Categories of Personal Data Processed

    Depending on the relationship with each data subject, the categories of data processed may include:

    • Identification and contact data (name, address, telephone, email, ID numbers).
    • Financial information (loan details, outstanding amounts, payment history).
    • Contractual documents and related information (loan contracts, guarantees, security documents).
    • Information required for legal, regulatory or compliance purposes.
    • Technical log or communication data when interacting with service providers.

    The Company does not seek to process special categories of personal data. If such data exceptionally arise in documentation (e.g., within enforcement files), they will be processed strictly in accordance with GDPR.


  1. Disclosures of Personal Data

    Personal data may be shared only where necessary and proportionate, including with:

    • QQuant, in its role as servicer;
    • professional advisors and auditors;
    • regulated service providers involved in the transaction;
    • courts, regulatory or supervisory authorities, or law-enforcement agencies, where legally required;
    • other parties to the transaction documents.

    Transfers will be limited to what is strictly required for the relevant purposes.


  1. International Transfers

    If personal data are transferred outside the European Economic Area, such transfer will take place in compliance with Chapter V of the GDPR, including the use of:

    • European Commission Standard Contractual Clauses, or
    • other transfer mechanisms permitted under applicable law.

  1. Data Security

    We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures are maintained and updated proportionately to the risks involved.


  1. Data Retention

    Personal data will be retained only for as long as necessary for:

    • the duration of the loan portfolio ownership and any subsequent legally required period;
    • compliance with applicable limitation periods;
    • meeting regulatory or contractual record-keeping requirements;
    • protecting the Company’s legal interests.

  1. Data Subject Rights

    Data subjects have the following rights under the GDPR:

    • right to access their personal data;
    • right to rectification;
    • right to erasure (“right to be forgotten”) subject to legal limitations;
    • right to restriction of processing;
    • right to data portability (where applicable);
    • right to object to processing based on legitimate interests;
    • right not to be subject to automated decision-making (if applicable).

    Requests relating to the servicing of loans should be addressed primarily to QQuant, as the servicer and independent controller:

    QQuant Master Servicer Μονοπρόσωπη Α.Ε.Δ.Α.Δ.Π.

    66 Kifisias Ave., 15125 Maroussi, Greece

    Email: nimbus@qquant.gr

    The Company will cooperate with QQuant to address such requests where relevant.


  1. Complaints/ Contact Details

    Details of the Company’s contact point for data-protection–related matters will be completed following confirmation from Luxembourg counsel.

    CRC CF (Lux) S.à r.l.

    8-10 Avenue de la Gare,

    L-1610,

    Luxembourg

    Emailο: CRC@centralisgroup.com; Katia.Velter@centralisgroup.com and crclegal@christoffersonrobb.com shall be copied on all such correspondence.

    Telephone: +352 26 186 517



Glossary

“Company” — CRC CF (Lux) S.à r.l. acting in respect and on behalf of its compartment “Nimbus”.

“Personal Data” — information relating to an identified or identifiable natural person.

“Processing” — any operation performed on Personal Data (collection, storage, disclosure, etc.).

“Data Controller” — the entity determining the purposes and means of the processing.

“Data Processor” — an entity processing data on behalf of a data controller.

“Special Categories of Personal Data” — data relating to health, political opinions, religious beliefs, biometric or genetic data, etc.

“Servicer” or “QQuant” — QQuant Master Servicer Μονοπρόσωπη Α.Ε.Δ.Α.Δ.Π., acting as independent controller for servicing operations.


Types of Personal Data

  1. Categories of Data Subject: Borrowers and related persons

    Type of Personal Data: Name, mailing and residential addresses, email address, telephone number, beneficiary name, nationality, date of birth, account number, bank account details, tax identification number, etc.

  2. Categories of Data subjects: Directors and designated persons within the Company.

    Type of Personal Data: Name, mailing and residential addresses, email address, telephone number, date of birth, nationality, etc

  3. Categories of Data Subjects: Employees of Company, service providers.

    Type of Personal Data: Name, mailing address, email address and telephone number, etc.